I have an ASP.NET app for managing potato markets. Each market has it's own overview page and users with a specific access can operate over this market. The access itself is managed by extensive business rules which the application calculates at the time of access using ClaimsPrincipal.
Now I want to extend my application with SharePoint On Premise. In general the application would just show links to the files associated with a market. The SharePoint folder itself would be structured as follows:
Documents
PotatoMarkets
Market_1:
File_1.docx
File_2.docx
Market_2:
File_3.txt
File_4.xlsx
The users themselves have access to the Documents.PotatoMarkets.
Now the first question is - how to reflect authorization rules used in the application over SharePoint folders? Users should have access only to the market folders they have access to in the application.
But in the application access is calculated at the time of the actual access, not something that is possible with SharePoint. The only option that I see is to break each market's folder parent permission rules and maintain a whitelist for each individual folder. But it is very unhandy with a big amount of markets and users and especially in cases when for example a new potato vendor is added to the system - I would need to assess each market against the newly added vendor!
Spawning an AD group for each market is not very elegant too.
The second question is - is there a way to still show folder and file urls to the users through the application but restrict their direct access to them trough the SharePoint? For example the users won't have access to Documents.PotatoMarkets at all, and at the time of accessing a file through the application it provides one-time access token should it deem that a user does indeed have access.