Ownership Rules

Understanding owner vs participant roles in shared companies.

Roles

Owner

Definition: User who created the company
Identifier: company.ownerName == currentUser.name
CloudKit: Creator of CKShare
Store: Private Store (company record lives here)

Participant

Definition: User who accepted share
Identifier: company.ownerName != currentUser.name
CloudKit: Listed in CKShare.participants
Store: Shared Store (company record synchronized here)

Determining Ownership

Method 1: Check Owner Field:

func isOwner(of company: Companies) -> Bool {
    return company.ownerName == currentUserName
}

Method 2: Check Persistent Store:

func isOwner(of company: Companies, in context: NSManagedObjectContext) -> Bool {
    let privateStore = context.privateStore() // default configuration
    return company.objectID.persistentStore == privateStore
}

Why Both Work: Private Store = owned, Shared Store = participating.

Permission Differences

Owner Can:

✅ Modify all company data
✅ Add/remove participants
✅ Configure CKShare permissions
✅ Delete company (and stop sharing)
✅ Change company settings
✅ Grant/revoke AccessControl

Participant Can:

✅ View company data (always)
✅ Modify data (if CKShare permission = "Can Edit")
✅ Create new records (if allowed)
❌ Add/remove participants (owner only)
❌ Delete company (owner only)
❌ Modify CKShare (owner only)
🔶 AccessControl-dependent operations (see below)

CKShare Permissions

Set by owner when sharing:

Read-Only:

share.publicPermission = .readOnly
// Participants can view, cannot modify

Read-Write:

share.publicPermission = .readWrite
// Participants can view and edit

Check in Code:

func canParticipantEdit(_ company: Companies) async -> Bool {
    let shares = try? await container.fetchShares(matching: [company.objectID])
    guard let share = shares?[company.objectID] else { return false }
    return share.publicPermission == .readWrite
}

AccessControl Integration

App-Level Permissions: AccessControl entity defines fine-grained abilities.

Example:

let access = AccessControl(context: viewContext)
access.companyID = company.companyID
access.userName = "[email protected]"
access.canViewInventory = true
access.canEditInventory = false
access.canViewOrders = true
access.canEditOrders = true

Enforcement:

func canEditInventory(for company: Companies, user: String) -> Bool {
    // CloudKit level
    guard share.publicPermission == .readWrite else { return false }
    
    // App level
    let access = fetchAccessControl(company: company.companyID, user: user)
    return access?.canEditInventory ?? false
}

Data Isolation

UserPass Exception: Owner can read UserPass for all companies (Private Store).

Participant UserPass: Participant creates their own UserPass for shared companies.

Example:

Company A owned by Alice
Alice has UserPass for Company A (Alice's credentials)
Bob accepts share for Company A
Bob creates UserPass for Company A (Bob's credentials)
Alice cannot see Bob's UserPass (owned by Bob, in Bob's Private Store)

Transferring Ownership

Not Supported: CloudKit doesn't support ownership transfer of CKShare.

Workaround:

Owner exports company data (JSON/CSV)
Participant imports as new company (becomes owner)
Owner deletes original share

Multiple Owners

Not Supported: Only one owner per CKShare.

Alternative: Use AccessControl with admin flag:

access.isAdmin = true

Give admin participants UI access to owner-like functions.

PreviousSharing Flow NextConflict Resolution

Last updated 1 hour ago

Good morning

hashtagRoles

hashtagOwner

hashtagParticipant

hashtagDetermining Ownership

hashtagPermission Differences

hashtagOwner Can:

hashtagParticipant Can:

hashtagCKShare Permissions

hashtagAccessControl Integration

hashtagData Isolation

hashtagTransferring Ownership

hashtagMultiple Owners