Control edit access

I have users connected to companies and companies connected to projects.

I would like users connected to a specific company to have the ability to edit the record of that company and also of the projects connected to that company. How do I set this up?

And in addition: to prevent misuse there it's probably good to have some approval system (right now a suer can just add any company to it's profile without approval and start editing). How do others do this with Knack?