I’m building a client portal for a training company and need help understanding the best architecture for org-based content filtering.
Here’s our use case:
We have two types of companies using the portal — Company ABC and Company XYZ. Each company has licensed access to a different set of training programs:
• Company ABC has a full license with access to all Programs 1-10
• Company XYZ has a partial license with access only to Programs 3 and 8
Each company has multiple users (trainers) who log into the portal. All users from Company ABC should see programs 1-10. All users from Company XYZ should only see programs 3 & 8. No user should ever see programs they’re not licensed for.
Our data structure:
• Programs table — contains all training programs
• Organizations table — each org has a “Licensed Programs” relation field linking to Programs where we identify all the programs available to that organization
• Users table — contains user email, name, and a relation field linking to their Organization
What we’re trying to do:
Use Data Restrictions to show each logged-in user only the programs their organization has licensed — essentially a two-part lookup: logged-in user email → Users table → Organization → Licensed Programs.
What we’ve found so far:
When setting up a Data Restriction on the Programs table, the “Logged-in user” value option only exposes email and email domain. It doesn’t appear to allow matching against a related record in our Users table (i.e., we can’t say “show programs where Organization matches the logged-in user’s organization”).
Our questions:
- Is there a native way to filter data based on a logged-in user’s related record in a database table (not just their email)?
- Is there a “user metadata” or “user profile” feature that exposes additional fields from a Users table for use in restrictions?
- If not natively supported, what is the recommended architecture for org-based permissions at scale?
We want to avoid a solution that requires manual per-user configuration — the org-level license model means that when a new user from Company ABC is added, they should automatically inherit Company ABC’s program access without any additional configuration.
Thanks for your help!
