User group-based data access

You can use the group authorization strategy to restrict access based on user groups. The user group authorization strategy allows restricting data access to specific user groups or groups defined dynamically on each data record.

Add authorization rules for specific user groups

When you want to restrict access to a specific set of user groups, provide the group names in the groups parameter. In the example below, only users that are part of the "Admin" user group are granted access to the Salary model.

amplify/data/resource.ts

1// allow one specific group
2const schema = a.schema({
3  Salary: a
4    .model({
5      wage: a.float(),
6      currency: a.string(),
7    })
8    .authorization(allow => [allow.group('Admin')]),
9});

In your application, you can perform CRUD operations against the model using client.models.<model-name> with the userPool auth mode.

1import { generateClient } from 'aws-amplify/data';
2import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition
3
4const client = generateClient<Schema>();
5
6// As a signed-in user that belongs to the 'Admin' User Pool Group
7const { errors, data: newSalary } = await client.models.Salary.create(
8  {
9    wage: 50.25,
10    currency: 'USD'
11  },
15);

This can then be updated to allow access to multiple defined groups; in this example below we added access for "Leadership".

1// allow multiple specific groups
2const schema = a.schema({
3  Salary: a
4    .model({
5      wage: a.float(),
6      currency: a.string(),
7    })
8    .authorization(allow => [allow.groups(['Admin', 'Leadership'])]),
9});

Add authorization rules for dynamically set user groups

With dynamic group authorization, each record contains an attribute specifying what Cognito groups should be able to access it. Use the first argument to specify which attribute in the underlying data store holds this group information. To specify that a single group should have access, use a field of type a.string(). To specify that multiple groups should have access, use a field of type a.string().array().

1// Dynamic group authorization with multiple groups
2const schema = a.schema({
3  Post: a
4    .model({
5      title: a.string(),
6      groups: a.string().array(),
7    })
8    .authorization(allow => [allow.groupsDefinedIn('groups')]),
9});

1// Dynamic group authorization with a single group
2const schema = a.schema({
3  Post: a
4    .model({
5      title: a.string(),
6      group: a.string(),
7    })
8    .authorization(allow => [allow.groupDefinedIn('group')]),
9});

By default, group authorization leverages Amazon Cognito user pool groups but you can also use OpenID Connect with group authorization. See OpenID Connect as an authorization provider.

Known limitations for real-time subscriptions when using dynamic group authorization:

If you authorize based on a single group per record, then subscriptions are only supported if the user is part of 5 or fewer user groups
If you authorize via an array of groups (groups: a.string().array() used in the example above),
- subscriptions are only supported if the user is part of 20 or fewer groups
- you can only authorize 20 or fewer user groups per record

Signed-in user data access

Custom data access using Lambda functions