I'm implementing a Web API where I have different roles available. I have the below scenario which needs to be secured,
For example I have a method which says GetEmployeesDetails(ids), where I fetch the details of all the employees who are under the user who is accessing the method (logged in user) by the ids, I validate the user accessing the method Authorise Attribute. Now say suppose I have another valid user who has some other employees under him, but he hacks the system and provide some different ids as input to the method, the method will respond with the data. I want to validate that the input provided cannot be tampered or somehow validate whether the ids are under the user currently accessing the method. Has anyone come across such a scenario ? Any help in this regard will be appreciated.
What I have tried:
I have validated the user accessing the method with whether he is authorised to access the data for the ids provided in input, but this adds to overhead to the workflow, is there any global concept which I can implement to handle such scenarios. This API will be public hence security is the major concern