A user has a company_id and a many to many relationship with tasks. Each user has a role. Each role has permissions.
An admin should be able to see all tasks within the company. A user should only be able to see his own tasks within the company.
What are the pitfalls of each approach?
Given that you already have roles and permissions configured in your application. You should be assigning the users the roles against a company, like Admins will have a Administrator role in all Companies.
Any user in the application will be having a role per company that allows him to perform his task in the context of the company.
Ex: I can be a Admin for CompanyA & Enduser for CompanyB. This should give you the desired result.
In case of having a consolidated list of tasks being shown across all companies, I will aggregate roles for each task based on the companyId and then enforce permissions.
