Per-user/per-owner data access
The owner
authorization strategy restricts operations on a record to only the record's owner. When configured, the owner
field will automatically be added and populated with the identity of the created user. The API will authorize against the owner
field to allow or deny operations.
Add per-user/per-owner authorization rule
You can use the owner
authorization strategy to restrict a record's access to a specific user. When owner
authorization is configured, only the record's owner
is allowed the specified operations.
// The "owner" of a Todo is allowed to create, read, update, and delete their own todosconst schema = a.schema({ Todo: a .model({ content: a.string(), }) .authorization(allow => [allow.owner()]),});
// The "owner" of a Todo record is only allowed to create, read, and update it.// The "owner" of a Todo record is denied to delete it.const schema = a.schema({ Todo: a .model({ content: a.string(), }) .authorization(allow => [allow.owner().to(['create', 'read', 'update'])]),});
In your application, you can perform CRUD operations against the model with the amazonCognitoUserPools
auth mode.
do { let todo = Todo(content: "My new todo") let createdTodo = try await Amplify.API.mutate(request: .create( todo, authMode: .amazonCognitoUserPools)).get()} catch { print("Failed to create todo", error)}
Behind the scenes, Amplify will automatically add a owner: a.string()
field to each record which contains the record owner's identity information upon record creation.
By default, the Cognito user pool's user information is populated into the owner
field. The value saved includes sub
and username
in the format <sub>::<username>
. The API will authorize against the full value of <sub>::<username>
or sub
/ username
separately and return username
. You can alternatively configure OpenID Connect as an authorization provider.
Customize the owner field
You can override the owner
field to your own preferred field, by specifying a custom ownerField
in the authorization rule.
const schema = a.schema({ Todo: a .model({ content: a.string(), author: a.string(), // record owner information now stored in "author" field }) .authorization(allow => [allow.ownerDefinedIn('author')]),});