I'm currently building two apps which share data entities in the same CoreData container with help of the same app group (this is working).
My current goal is to achieve different permissions on this data. To make it clearer, see those two apps as Admin-App and User-App, both accessing the same data, but the User-App should has only access to a reduced selection of the entity's attributes.
What would be a reasonable approach to this problem? I've already though about it, resulting in the following approaches:
Thanks in advance!
There's nothing on iOS that will enforce this kind of restriction for you. If the app group folder is accessible to an app, that app is allowed to read and write anything in the folder.
The simple answer is, if you're writing both apps, write them to follow your policy for which data is readable or writeable by which app.
A more complex answer, if that's not acceptable for some reason, would be to have the admin app save some data in its own container and some data in the app group. You can still use the app's private container, even if you also have a group. That would mean the admin app has to know which data to put in which container, which might or might not be complicated depending on what kind of data you have and how your apps use it. There's no reason the admin app can't have its own private data, though.
Core Data has some support for that approach. You can load more than one persistent store file at the same time, and Core Data will present them as a single unified data store. For reading data, that's easy to deal with. For writing data it gets a little more complex because every time you add data, you need to tell Core Data which file to use. This isn't extremely difficult but it'll take more work and some more research to understand what you're doing.