Skip to content
Start building
Back

Scaling project-based permissions: team per project vs direct doc permissions?

  • 0
  • Cloud
View on Discord
cognitojo
19 Aug, 2025, 12:00

I’m building an app on Appwrite and want to double-check if my current approach is the right one before I go all in. I’ve read through the documentation, but I’m still not 100% sure what the best practice is here.

My setup / requirements: • I have Projects, each can have one Customers, multiple Suppliers, and multiple Issues/Tasks. • A Project always belongs to exactly one creator, but many people can be assigned to it (internal users, customers, suppliers). • I want document-level security only: either you have access, or you don’t. No partial fields. • If someone is assigned to a Project, they should automatically get access to all related docs (issues, linked customers/suppliers, etc.). • Permissions should be revocable in one place (remove them from the Project, they instantly lose access everywhere). • I don’t need anything fancy like per-field security. just binary access.

My current thinking: • Right now I auto-create a team per user at signup and stamp that team on all docs. But I realize that doesn’t scale for sharing. New idea: • Create a Team per Project (proj_<id>). • Add all people (internal, customers, suppliers) as members of that project team. • Stamp read/write("team:proj_<id>") on all project docs. • Use link collections for many-to-many (e.g. ProjectCustomer, ProjectSupplier) so I don’t have to union dozens of teams onto one customer/supplier doc. • Optional org_admins team for global admin visibility.

My question: • Is one team per project the best practice for this use case? • On the Pro plan, can hundreds of teams (e.g. 100 users × 10 projects/year) scale well? • Are there any hidden limitations around memberships or queries that I should be aware of at this scale? I saw that no limitations are on teams creating • Or would it be smarter to only set permissions directly on the Project doc and then handle access to linked entities differently (instead of carrying the team on every single related document)?

Thanks for your time

TL;DR
Developers are debating between using a team per project or direct document permissions for a project-based permissions system. They are considering scalability and simplifying access control. The current thinking involves creating a team per project, but they are unsure if it's the best approach. Here's a new idea proposed by the developer: create one team per project, add all relevant members to that team, and manage permissions by linking users to projects. They are seeking advice on the best practice for this use case and scalability concerns, as well as any limitations they should be aware of.
D5
19 Aug, 2025, 12:58

From what I understand, an user could have multiple projects and a project could have different permissions based on roles (like owner will have full CRUD, supplier read only X things, etc). I think that probably the team approach is the best

Reply

Reply to this thread by joining our Discord

Reply on Discord

Recommended threads

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more