Owner vs. Group Access Control in AWS Amplify API

To add access control to your API, you add access control annotations to your GraphQL schema in amplify\backend\api\APINAME\schema.graphql
Owner access control has the form @auth(rules: [{allow: owner, ...owner access control settings...}])
Group access control has the form @auth(rules: [{allow: groups, ...group access control settings...}])
AWS Amplify then takes your access control specification and generates resolvers that contain the access control code to enforce your specification.

As specified in the AWS Amplify documentation, “each object has an ownerField (by default ‘owner’) that stores ownership information.” To specify that a single user should have access, use an ownerField of type String. To specify that multiple users should have access, use an ownerField of type [String]

As specified in the documentation, “With dynamic group authorization, each record contains an attribute specifying what groups should be able to access it. Use the groupsField argument to specify which attribute in the underlying data store holds this group information. To specify that a single group should have access, use a field of type String. To specify that multiple groups should have access, use a field of type [String]”

For GraphQL queries (getX and listX), and update & delete mutations, the primary difference between owner and group access control is that the user is assumed to have a scalar value in identityClaim (a user can only have a single unique identifier), but a list of values in groupClaim(a user can be a member of multiple groups).

For GraphQL create mutations, a major difference is that, in owner access control, if a create mutation operation does not specify a value for the ownerField in the object it is creating, the value from the identityClaim field in the access token (by default the username), is placed in the ownerField of the created object, and authorization is automatically approved.

There’s no analogous system for group access control because a groupClaim is a list of values. It wouldn’t be clear which of the elements of the list should be automatically placed in the groupsField if the user didn’t explicitly specify a value.

So when choosing between owner and group access control to build your final access control system on, keep the following two things in mind. Group access control is more generalized, because its claim can contain a list of values, not just a single value as in owner access control. But owner access control allows you to specify a default value during object creation.

Related posts:

The Mosquito Guy is excited to announce our Mosquito Control Services in Barnstable MA and surrounding areas. Homeowners and business owners in Cape Cod can now benefit from our environmentally…

When thinking about purchasing SPF 50 sunscreen for men, you must keep in mind that men’s skin is a little different from women’s. Therefore, you must be informed of the types of ingredients that are…

This is VR experience showcasing virtual reality and tourism industry works. The museum takes you to an adventure and riding through the information related to impact of VR in tourism industry. Using…