I have a cosmos db system with a user table. Now I'm develop a client app that connects to cosmos db directly by cosmos sdk (iOS).
I'd like to add a security layer to make sure a user can't access other user records, some like select * from User c
Is there anyway to do this?
Thanks!
As we know from this link, Cosmos db has two types of keys:
For your need, you need to give up master keys
, use resource tokens
instead. It could provide access to specific document.
So my idea is:
When you create every row of data, you need to generate resource token which maps this user and store it as an additional column. Then when a user query data, he should provide his resource token (as security layer) to authenticate his permission of filtering data. Not every one uses master keys, it can't control the data isolation. Please refer to the model listed in above link: