Currently the API’s that we are creating simply allow access to the individual records in DynamoDB for that particular UserID. That is Create a note for user test@example.com. The GET request retrieves all the notes for that userId etc.
How can we extend this functionality to include permissions for individual users that sign up in this serverless environment with Cognito?
For example:
an ADMIN role can see all notes in the system and tweak individual permissions.
an NO-ATTACHMENT role can create notes but not upload attachments
In standard web app development, you could create this as a “Users” table in your db and reference it with your User class as a part of your authentication.
Awesome. Yea I would create an admin panel to manage this.
How to edit the user roles depends on whether there is any kind of out-of-the-box Cognito functionality that achieves this? I’d prefer not the re-create the wheel.
I know that its possible to trigger lambda functions via Cognito Identity User Triggers (potentially Pre-Authentication). Using this method, we could have a ‘UserRoles’ table that has the uuid of the user and have another column for ‘Role’, which would have to be referenced in that pre-auth trigger for each request.
Do you have any better ways of getting this going?