but it's not a really scalable solution because in the event that there are hundreds of apps and thousands of users, this method becomes a maintenance nightmare. At the moment, there are two RootAdmins that handle nearly all of the administrative work with one designated "team admin" per stream. Even with the "extra help" of the admins per stream, it still becomes a maintenance nightmare.
For example, if Stream01 has 4 users: User01, User02, User03, User04. And if I only wanted User01, User02, and User03 to see App01 on Stream01, then I would need to create a unique custom property for those three users alone. And then if you wanted to say add another user like User05 from Stream02, then you would need to create a unique custom property for User05 because you don't want all users from Stream02 to view all apps from Stream01. And then if you want to allow User06 from Stream02 to view App02 on Stream01, then you would need to create more custom properties. This becomes an absolute maintenance nightmare and is not maintainable/scalable. For now, it's seemingly scalable because of the number of users and apps, but as it continues to expand in the company, it becomes impossible to maintain. For those that might recommend that the "team admin" from each stream create a stream per app, then you could theoretically see a thousand streams. That also becomes quite a nightmare if not for the RootAdmins, then the "team admins".
Is there a best way to create app level security that doesn't have the problems I mentioned above? What I'm looking for is a method that's maintainable and scalable.
...Which seems to be impossible in Sense as far as I know.
I'm just starting to implement our server version of sense and so far I've applied security rules at a stream level only, that said I've been able to control users access to one or more streams by checking for a particular user attribute I pass in the UDC with each user and I set the security rule to check for that attribute value rather than users.
It works for streams and assume it will work the same at app level. This way I don't need to add/edit security rules each time I bring in a new user.