I am aiming to create a document vault style application whereby the custom app has a number of users all of which have unique folders that they and only they should be able to see.
How does one differentiate between users at the app level to determine if they have permission to view a specific file? The managed user has permission to view all files/folders in the application and app users a subset. The api calls are made using a JWT issued to the managed user and therefore will be unrestricted regardless of which end app user is making the call.
Is it that one should use the as_user functionality so the managed user acts on behalf of an app user? Is there any other way to restrict the access of app users, or indeed identify the app user making the request?