We have a Salesforce app where we have some custom objects and want to expose the various custom object rcords to customers.

We need to ensure that customers can see only the records belonging to their Account. Because of the way these records are setup(owned by various system users at different levels of processing), we cannot use owner based sharing...and cannot use criteria based sharing since its not dynamic(I cant use criteria based sharing to say "Share this record with all customer portal users who belong to the same Account as the record" at runtime).

So I know I have to use Apex based sharing. I have read up on the sharing objects and the sharing table. But how would I approach this.

I can write a trigger which upon inserting will create a share object and get all userids who belong to the customer portal group and whose account equals the account of the record and associate them with the share object of the record.

But I feel this is overkill correct? Lets say there are 5 users from one of our customers and lets say there are 500 records created a day...that means 2500 share objects a day just for 1 customer...for 10 customers this can go upto 25000...and scale in this way...

Am I right here?

Another problem would be if a new person joined that customer team..unless another process updates the sharing on older records, he/she cannot see the older records.

So is there a better/elegant way to do this? I thought of adding a share object to the group...but there is just one group "Customer portal group" and how do I associate the group with the account of the users?

I will appreciate any thoughts about this.