I have set up a classic SQL Server Multi Tenant DB, Shared Database, Shared Schema, will be cloud hosted in Azure. All access to the DB is via a minimal api.
Every row has a tenantId, with a SQL Server security policy setup so tenants can only see data for their tenantId. This all works perfectly.
Each tenant has multiple users, with each user having multiple jobs. I thought it would be a good idea to prevent the possibility of users getting other users Jobs by setting up an additional policy filter by (tenantId, userId) on the jobs table. Also works perfectly, but I have to wonder if this is overkill and better handled in the API layer.
Thanks.
nb. Block Policy is applied as well.
Asked by Lindsay Mathieson
(11 rep)
Jul 14, 2023, 03:53 PM
Last activity: Jul 14, 2023, 04:15 PM
Last activity: Jul 14, 2023, 04:15 PM