With multi-db support in Firestore now launched, this enabled a ton of new features, though the way permissions are granted is not ideal.

--

Instead of being able to attach permissions to individual databases, you have to use conditional IAM permissions on a project level.

--

This leads to problems when you want to grant IAM permissions to employees with access to only a subset of databases.
Granting a subset of databases to access will prevent them from using the Firebase / Google Cloud console, as they will not have permission to view all databases.

--

Also conditional IAM permissions are more complex to setup and maintain.

--

A better solution would be able to attach IAM permissions directly to the databases, like it's possible for storage buckets, Secret Manager secrets, BigQuery datasets and tables, etc.

--

If someone doesn't have permissions to view a Firestore database at all, it should be excluded from the list of databases in the consoles.
If someone does have the permission to view a Firestore database, but does not have permission to view the data, it should be shown in the list of databases but then not load the data when going to the data tab of the database.