---
title: "With admin actions"
section: "build-a-backend/auth/manage-users"
platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
gen: 2
last-updated: "2024-05-02T01:41:16.000Z"
url: "https://docs.amplify.aws/react/build-a-backend/auth/manage-users/with-admin-actions/"
---

Amplify Auth can be managed with the [AWS SDK's `@aws-sdk/client-cognito-identity-provider` package](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/). This package is intended to use server-side, and can be used within a Function. This example focuses on the `addUserToGroup` action and will be defined as a [custom mutation](/[platform]/build-a-backend/data/custom-business-logic/#step-1---define-a-custom-query-or-mutation).

To get started, create an "ADMINS" group that will be used to authorize the mutation:

```ts title="amplify/auth/resource.ts"
import { defineAuth } from "@aws-amplify/backend"

export const auth = defineAuth({
  loginWith: {
    email: true,
  },
  // highlight-next-line
  groups: ["ADMINS"]
})
```

Next, create the Function resource:

```ts title="amplify/data/add-user-to-group/resource.ts"
import { defineFunction } from "@aws-amplify/backend"

export const addUserToGroup = defineFunction({
  name: "add-user-to-group",
})
```

Then, in your auth resources, grant access for the function to perform the `addUserToGroup` action. [Learn more about granting access to auth resources](/[platform]/build-a-backend/auth/grant-access-to-auth-resources).

```ts title="amplify/auth/resource.ts"
import { defineAuth } from "@aws-amplify/backend"
// highlight-next-line
import { addUserToGroup } from "../data/add-user-to-group/resource"

export const auth = defineAuth({
  loginWith: {
    email: true,
  },
  groups: ["ADMINS"],
  // highlight-start
  access: (allow) => [
    allow.resource(addUserToGroup).to(["addUserToGroup"])
  ],
  // highlight-end
})
```

You're now ready to define the custom mutation. Here you will use the newly-created `addUserToGroup` function resource to handle the `addUserToGroup` mutation. This mutation can only be called by a user in the "ADMINS" group.

```ts title="amplify/data/resource.ts"
import type { ClientSchema } from "@aws-amplify/backend"
import { a, defineData } from "@aws-amplify/backend"
import { addUserToGroup } from "./resource"

const schema = a.schema({
  addUserToGroup: a
    .mutation()
    .arguments({
      userId: a.string().required(),
      groupName: a.string().required(),
    })
    .authorization((allow) => [allow.group("ADMINS")])
    .handler(a.handler.function(addUserToGroup))
    .returns(a.json())
})

export type Schema = ClientSchema<typeof schema>

export const data = defineData({
  schema,
  authorizationModes: {
    defaultAuthorizationMode: "iam",
  },
})
```

Lastly, create the function's handler using the exported client schema to type the handler function, and the generated `env` to specify the user pool ID you'd like to interact with:

```ts title="amplify/data/add-user-to-group/handler.ts"
import type { Schema } from "../resource"
import { env } from "$amplify/env/add-user-to-group"
import {
  AdminAddUserToGroupCommand,
  CognitoIdentityProviderClient,
} from "@aws-sdk/client-cognito-identity-provider"

type Handler = Schema["addUserToGroup"]["functionHandler"]
const client = new CognitoIdentityProviderClient()

export const handler: Handler = async (event) => {
  const { userId, groupName } = event.arguments
  const command = new AdminAddUserToGroupCommand({
    Username: userId,
    GroupName: groupName,
    UserPoolId: env.AMPLIFY_AUTH_USERPOOL_ID,
  })
  const response = await client.send(command)
  return response
}
```

<!-- Platform: angular, javascript, nextjs, react, react-native, vue -->
In your frontend, use the generated client to call your mutation using the group name and the user's ID.

<!-- Platform: angular, javascript, nextjs, react, react-native, vue -->
```ts title="src/client.ts"
import type { Schema } from "../amplify/data/resource"
import { generateClient } from "aws-amplify/data"

const client = generateClient<Schema>()

await client.mutations.addUserToGroup({
  groupName: "ADMINS",
  userId: "5468d468-4061-70ed-8870-45c766d26225",
})
```
<!-- /Platform -->
<!-- Platform: flutter -->

<!-- /Platform -->
<!-- Platform: android -->

<!-- /Platform -->
<!-- Platform: swift -->

<!-- /Platform -->
<!-- /Platform -->
