Privacy Rules for many-to-many relationships

Hello,

I’m trying to wrap my head around privacy rules, and I’m wondering how one should handle privacy rules that do not directly connect to the user or the requested data.

Let’s say for example that I have a type “Transaction” that contains 2 fields: Buyer (a User) and Seller (a User as well). Each new transaction would be an entry in the transaction database. Since there might be many transactions, I don’t want to store them as lists in the users. That would mean duplication and big lists, which I’ve read might be a problem. And there is a limit to a list size anyway. Which would be a problem for an evergrowing list.

Now, let’s say I want to allow Sellers to only have access to the names of the users who have bought from said seller. In terms of query that would mean: search for buyers where seller = current user.

Since I would not have access to the transactions in the user privacy rules, and since lists have limits, I don’t see how I could have the security that I would like to have here. I don’t understand how I can reconcile the limits of the lists and the limits of the privacy rules to actually secure my data as I wish in this use case.

I feel this might just not be possible at all, but I would like confirmation, since this is quite important for my use cases in my current business.

Thank you very much,
Florian.

Your privacy rule would go on the “transactions” thing.

You can create two privacy rules.

  1. Seller - if current user is in “seller field” all fields are viewable.

  2. Buyer - if current user is in “buyer field” only “seller field” is visible.

These two privacy’s will allow the seller full access to the selling “transactions” that have there “user” thing with the sellers “user” thing. Also, it will allow the buyer to have access to the “transactions” where the buyers “user” thing contains the buyer but limits access to only limited data, in this case only the sellers “User”.