Hi everyone,
We’re working on a Foundry OSDK application that supports user-to-user sharing — for example, users can share certain objects with members of their groups.
We’d like users to be able to see members of the groups they’re in, but we can’t use @osdk/foundry.admin for all users (since some don’t have api:admin-read privileges to query Foundry platform groups or memberships).
We’re currently considering a few options:
-
Using the built-in groups somehow (though these can be queried only by admins).
-
Creating our own Group and GroupMembership Ontology objects for app-level groups, with restrictions.
-
Syncing groups from our external identity provider (Auth0) into Foundry, either client-side on login or through an admin-run job.
We’re wondering what patterns other teams have used in similar cases — especially around keeping things secure and maintainable within Foundry’s execution model.
Thanks in advance!