Security in a single CouchDB can only be set up to do either:
- Everyone can read/write everything (admin party)
- Everyone can read, some can write
- Some can read everything, and those same people can write everything
So in the very common situation where you want user data to be private, the current best practice is to give every user a database. This sounds nuts at first, but it turns out that databases are cheap in CouchDB; Cloudant boasts that 100k databases in a single Couch is not uncommon (source).
However, actually implementing one database per user is not open-and-shut. You need a separate server process outside of CouchDB to handle it. Everyone has their own solution; here are some popular ones:
Update: the CouchDB docker image now has a built-in couch-per-user
support, making this much easier to implement: https://hub.docker.com/r/klaemo/couchdb/
As for Cloudant, I have found https://github.com/cloudant-labs/envoy (covered in https://developer.ibm.com/code/open/projects/cloudant-envoy/ and ):
I am unsure if it is used by anyone though - no activity on the Github repo for over a year. There is also https://github.com/glynnbird/envoy-serverless (covered in https://medium.com/ibm-watson-data-lab/cloudant-envoy-serverless-edition-d68b08d536d7) but it seems even less used/tried.