I have a mobile game and store sensitive information about the users in a large table. This table has hundreds of thousands of rows. Each row has the user id that the row is for.
One premise of the game is that you can play based on your information in the table or off of one of your friends information.
Friends are determined by Facebook friends that also play the game. So, this is ever changing.
I'd like to implement a security strategy that only allows you or your friends to see your information. I don't think this is possible with roles because the friends list can change so much (new friends added in Facebook, new friends that access the application, etc.). So, I am thinking it needs to be done with custom Business Logic. But, I don't even know where to start to figure out how to implement a security feature like this in custom Business Logic.
So, my question is 2-fold:
1. What are your thoughts on how to implement the security functionality I described above? Any examples?
2. If what I described above is not possible, is there a security strategy where I can at least prevent someone from doing a Select All query from this sensitive table? That will at least allow me to prevent someone from getting all our data.
Thanks in advance,
Greg