Allowing more users than max user quota in a (public) app containing sensitive information

We are building an app where it should be possible to let a lot of people (thousand+) in to play a game for a short amount of time. Some of the data exposed in the game is sensitive data that should only be possible to read for players of that game. The number of people is many times higher than what the user quota is so it is not viable to “just upgrade”. I´m looking for some ideas or best practise to solve this with an acceptable risk.

Option 1 - Unauthenticated app. Create temporal objects from the sensitive objects when the game starts and use a cleanup service to remove everything afterwards after collecting the “game data”. This will reduce the possible time frame an attack can happen to a minimum. Our idea is to use data silos to ensure that data can only be read by authenticated users, but if no user is authenticated we lose this possibility. (I assume “Filtered security” will not aid in this matter?)

Option 2 - Authenticated app. For each game, create a “Game user” that we log everyone for that game into, if they have an authentication link with a guid (+ a perhaps a pass code sent by a service to mail/SMS). We do have auth0 set up, so we could pipe everyone through there as well to further reduce the risk, but I assume as long as you have the link you have the access, so the risk is about the same. If we were to use auth0 in an authenticated app we will still have the problem with the user limitation. What is the maximum number of sessions for a user? If this is a low number this option will not work anyway.

Grateful for any other options or suggestions/thougts.



Option 1 should be ok for “medium sensitive info” if you make sure the “game key” is non-guessable, and only stored in the database throughout the game, and filter all data on that game with server-side fillters (filter on database connected datasource, or a Read Objects from the database).

However, since the game data is not restricted on a technical level on the “Permissions” level (will be solved with filtered security, also for unauthenticated apps), we recommend to

  1. have a Service with game id as input, reading that sensitive data and returning those data, and another Service or Endpoint for storing the sensitive data
  2. make a service account, with a Role with CRUD access to those sensitive Object Classes. Unauthenticated role should NOT have access
  3. when the unauthenticated App is requesting to read or update those sensitive data - use action node Run Service and “Run as Service Account”.
    In this case, the App user role will not have access to the Object Class itself.
1 Like