#✅ - Custom group-based data access

Hey all, I'm working with Amplify and need to set up ownership of records based on teams instead of Cognito groups. I currently have a User model with their Cognito sub stored and I have a Team model with a relationship to users. I see that I can create a relationship to groups (https://docs.amplify.aws/cli/graphql/authorization-rules/#user-group-based-data-access). I am also aware of the example where each record can store a string of owner IDs. However, this would get cumbersome to do this for each record created.

Is there a way to do this so that the owner of a record (say, todo for example) is a team ID and all users linked to that team can have access?

Hi @craggy saffron 👋 I don’t think there’s a built-in way to authorize access to a record based on a relationship between other models. You’d have to leverage user pool groups or implement your own auth logic in a lambda function using the custom auth rule:

https://docs.amplify.aws/cli/graphql/authorization-rules/#custom-authorization-rule

From the lambda you can query the Team table and make sure that the User trying to access the record belongs to the appropriate Team.

@heavy crystal Ah okay. Thanks for the feedback. That's pretty disappointing, but it might be doable to set it up with a lambda since there aren't going to be too many users.

✅ - Custom group-based data access

instead of querying the record and performing check authorization, would it be a good idea to simply make use of cognito attributes and save the users' teamsIds as custom attributes. Then in a custom lambda authorizer, just check the provided teamId the user is trying to access is in its attributes

I feel like its redundunt to always query the data the user is trying to access to perform authorization check if u can safely store it in the cognito attributes just make sure the attributes cant be updated on the client side

That would be an interesting idea to only have a groups table and avoid storing the user data twice. My main issue is I have users submitting a form with a file upload, and I'm not sure how I would go about resolving ownership on the database side since it's an Amplify form. Because I need to allow users to create records, trace the records back to the users who created them, and be able to only show them the records by their group. Seems Amplify was not built with that kind of stuff in mind.