I have an AWS Amplify application that has a structure with multi-organizations:
Organization A -> Content of Organization A Organization B -> Content of Organization B
Let's say we have the user Alice, Alice belongs to both organizations, however, she has different roles in each one, on organization A Alice is an administrator and has more privileges (i.e: can delete content or modify other's content), while on Organization B she is a regular user.
For this reason I cannot simply set regular groups on Amplify (Cognito), because some users, like Alice, can belong to different groups on different organizations.
One solution that I thought was having a group for each combination of organization and role.
i.e: OrganizationA__ADMIN
, OrganizationB__USER
, etc
So I could restrict the access on the schema using a group auth directive on the Content
model:
{allow: group, groupsField: "group", operations: [update]},
The content would have a group
field with a value: OrganizationA__ADMIN
Then I could add the user to the group using the Admin Queries API However, it doesn't seem to be possible to add a user to a group dynamically, I'd have to manually create each group every time a new organization is created, which pretty much kills my idea.
Any other idea on how I can achieve the result I'm aiming for? I know that I can add the restriction on code, but this is less safe, and I'd rather to have this constraint on the database layer.
Look into generating additional claims in you pre-token-generation handler
Basically you can create an attribute that includes organization role mapping
e.g.
then transform them in your pre-token-generation handler into "pseudo" groups that don't actually exist in the pool.