Thanks for checking in! I migrated things such that my users can now only call UDFs, and the UDFs have roles that grant access to collections/indexes, which I really like. I did still have some trouble with ABAC predicates for the UDF roles that I couldn’t quite figure out, but I worked around it by implementing some logic in the UDF itself to deal with multi-tennancy that I’m satisfied with for the time being.
I feel like it’d be super helpful to have a tool for testing role access in the console - Identity() doesn’t work in the shell so it’s pretty tough to figure out what’s broken. I’m not sure exactly what it’d look like, but I’d love to be able to test calling a UDF as a specific “user” so I can more easily validate role settings.
All that to say, I’m in a good spot now - thanks so much for the help!