Damian, there is way to use part of SQL security and don't make
significant changes to your program. Make IB user for each real user,
make role with single name and full access within each database and
grant this role for users in databases on database_user principle. All
what you need after it is syncronize changes in your Control Database
with changes in ISC4.gdb and role member management, add role
parameter to connection and force change of user-entered password to
real, stored in Control Database and retreived via 'primary system
connection' as database owner. Doing this you can:
1.Prevent accidental access of user to database of another company
2.Use system USER variable to store on insert as default column and on
update as setted on Before Update trigger. So you have Creator of
record and Last Modifyer with minimal efforts. For full or flexible
internal logging see IBLogManager. It's minimal efforts too.

I have a doubt, is it written in English or not, but I hope you can
realize ideas. :)

Best regards.