By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Amplify @auth rule require multiple group membership

0

Is it possible to have auth rules requiring authenticated users to belong to multiple groups? For example "allow users who are in 'Tenant N' AND who are 'Editors'".

Our models are currently similar to this:

type MyModel
  @model
  @auth(rules: [
    { allow: owner },
    { allow: groups, groupsField: "tenantID" },
  ])
{
  id: ID!
  tenantID: String!
}

So using static group auth doesn't work for us:

type MyModel
  @model
  @auth(rules: [
    { allow: groups, groups: ["DynamicTenantId", "Editor"] }
  ])
{
  id: ID!
  tenantID: String!
}

Because tenantID is a dynamic value, we need to use dynamic group auth instead:

type MyModel
  @model
  @auth(rules: [
    { allow: owner },
    { allow: groups, groupsField: "tenantID" },
    { allow: groups, group: "Editor" },
  ])
{
  id: ID!
  tenantID: String!
}

But this doesn't work because it's an "OR", saying "allow anyone in the tenant OR anyone with the 'Editor' group".

Updating our models to use single dynamic group auth field doesn't work either:

type MyModel
  @model
  @auth(rules: [
    { allow: owner },
    { allow: groups, groupsField: "allowGroups" },
  ])
{
  id: ID!
  allowGroups: [String] # ['DynamicTenantId', 'Editor']
}

Because this an "OR" too, saying "allow anyone in the tenant OR anyone with the 'Editor' group".

Are there any other options, aside from a custom authenticator, to require multiple group membership?

Topics
Front-End Web & Mobile
Tags
AWS Amplify
Language
English
flashbackzoo
asked 2 years ago69 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content