Field level access control in schema

Question

The documentation suggests that its possible to restrict access at granular field level within a schema:     with an example given as

```
type Post @aws_api_key @aws_iam{
   id: ID!
   author: String
   title: String
   content: String
   url: String
   ups: Int!
   downs: Int!
   version: Int!
   restrictedContent: String!
   @aws_iam
}
```

Based on this example it should be possible to implement restrictions on the email and phone fields in a user table like below

```
type Users @aws_auth(cognito_groups: ["Admin", "Everyone"]){
	userid: String!
	firstname: String
	lastname: String
	email: AWSEmail
		@aws_auth(cognito_groups: ["Admin"])
	phone: AWSPhone
		@aws_auth(cognito_groups: ["Admin"])
	public: Boolean
	access: String
}
```

However, this doesn't actually seem to work as all fields are returned regardless of group membership. Am I reading the docs correctly or is something mis-configured?

Answer

Hi,  
  
I think your issue is that you're applying the "Admin" group both on the type and on the field. Have you set up multi auth on your API? If so, can you try changing @aws_auth usages to this:  
  
        @aws_cognito_user_pools(cognito_groups:\["Admin"])  
  
? It looks like you're trying to use the wrong Cognito directive to fulfill a multi auth use case. The one you're using was created before the implementation of multi auth, and it only works for top level fields.  
  
Thanks,  
Jeff

Answer

Thanks!  
  
As you thought, the issue was with the auth directive. Changing to
 `@aws_cognito_user_pools(cognito_groups: ["Admin"])`
 works perfectly

```
type Users @aws_cognito_user_pools(cognito_groups: ["Everyone", "Admin"]){
	userid: String!
	firstname: String
	lastname: String
	email: AWSEmail
		@aws_cognito_user_pools(cognito_groups: ["Admin"])
	phone: AWSPhone
		@aws_cognito_user_pools(cognito_groups: ["Admin"])
	public: Boolean
	access: String
}
```

Field level access control in schema

Relevant content