4

Background

Hey, all. To start, I'm in the process of learning AWS Amplify / GraphQL, so I'm not sure if this is a GraphQL-specific question, or if it relates more to AWS Cognito. That said, if this question is considered off-topic, please direct me to a more appropriate place to ask this question.

The Question

Using AWS Amplify & AWS Cognito, I want the GraphQL layer to only respond with data that is specific to that entity. As an example:

Given an organization and user database structure such that many users belong to one organization, how do I ensure a user can only interact with data specific to the organization it is a part of?

More detailed Example

Given the picture below, how can I ensure user #2, when querying the AWS Amplify GraphQL layer, they will never be able to interact with organization #1's data?

Relationship Example

What I've tried

Currently, in the GraphQL layer I've manually added a WHERE clause to each query so that the client won't be able to view cross-organization data. However, this doesn't prevent any user from creating their own query to view cross-organizational data. I'm currently looking into building a custom authorization resolver, but it doesn't seem to fit my specific need yet.

Any help is greatly appreciated.

Donato Perconti
  • 814
  • 2
  • 11
  • 28
  • Looks like @derrops has a great answer. Are you bound to any Particular auth flow? Implicit Grant? /auth code/ client credentials? – garrettmac Jan 16 '22 at 18:39
  • It sounds to me like this is a cognito question and need to set up several groups inside your one user pool.? That sound right? Have you looked into https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html you can then do introspection on the user and that should (I think) should allow user in the group admin vs group guest to see diff graphql schemas/types for the same query (or even hide in a gql playground available Query’s/mutation depending on role) – garrettmac Jan 16 '22 at 18:50
  • Then mix those above groups into your gql types like so https://aws.amazon.com/blogs/mobile/graphql-security-appsync-amplify/ – garrettmac Jan 16 '22 at 18:58

1 Answers1

1

If you want to keep to the Amplify way of doing things, you can use Authorization Rules.

Groups

If users in an organization are in the same Cognito group, then you could use Dynamic group authorization. For example:

type Sale @model @auth(rules: [{ allow: groups, groupsField: "org" }]) {
  id: ID!
  org: [String]
}

That way only sales people can only access sales who have a group/org matching their own.

Attributes

Or otherwise you can also use attributes of your users, with the ownerField directive as well.

Derrops
  • 7,651
  • 5
  • 30
  • 60