How to restrict asset update to only one organisation but allow asset read by all?

I have 3 organizations Org1, Org2, and Org3 which use HLF v2.2. The organizations store some organization-specific data in key-value pairs(assets) on the blockchain (keys are unique across as we prefix with organization code). The key-value pair which goes on the blockchain with an organization code prefix is updatable by that organization (CREATE, UPDATE & DELETE) and the rest of the organizations can only have READ access. How can we achieve this behaviour? I am thinking of having a cache within the chaincode that maps Org mspid with Org code and in the functions that manage organization assets, I can then check if the invocation is coming from a specific organization and accordingly allow to perform the update operation. Any ideas are greatly appreciated.

Maybe Private Data fits your use case. Look at Scenario 2 in this article: https://kctheservant.medium.com/private-data-collection-policy-demonstrating-members-only-read-and-write-features-b2e03ff02332. This way you could define a private collection per organization that could be read by the other organizations (although the requesting client should query the peer of the corresponding organization).

If your privacy concerns are related only to clients (if you trust the peers and orderers from other organizations), maybe you don't need Private Data features. You can simply evaluate the requestor MSP in your chaincode to apply your restrictions.