I was reading http://devcenter.kinvey.com/html5/guides/security
In the Use Case section, we have
"If you have collections that only hold entities that the app developer or administrator can create or modify, such as a daily deal, or a blog post, you would want to set the access level to Read Only. This allows read access to user credentials, and write access only to the app developer using the master secret.
However, master secret is very powerful, what if there is a concept of collection owner and corresponding key, so that even if that got hacked, the best they can do is post some bad deals or delete all our blogs, instead of getting all of our user data.
Or is there an existing workaround to achieve similar effect? I'm all ears.
Thank you very much!
Kinvey doesn't have such a feature/concept of collection owners and corresponding keys.
And master secret is not supposed to be used inside mobile/web apps. Master secret should be used either in BL or through the console, which minimizes the risk of master secret getting hacked. Also, you always have the option to regenerate master secret via the console if you think it has been somehow compromised.
If you don't want to use master secret for this, there is an alternative way to do the same thing per collection: