how to @auth Combining Owner/Groups rules for Multi-Tenant Apps?

Question

I am using this schema in aws graphql structure. I have stored the **tenant** ID  in aws cognito user pool custom attributes.

**type ClientDetails
  @model
  @auth(
    rules: [
      {
        and: [
          { allow: owner, ownerField: "tenant", identityClaim: "custom:tenant" }
          {
            or: [
              { allow: owner, ownerField: "owner" }
              { allow: groups, groups: ["Customers"], operations: [read] }
              {
                allow: groups
                groups: ["Admin"]
                operations: [create, update, read]
              }
            ]
          }
        ]
      }
    ]
  ) {
  id: ID!
  tenant: String!
  OrganizationName: String!
  SuperUser: String!
}**

while running the amplify API gql-compile command throws an error. the error was,

**Schema validation failed.**

**Field "AuthRule.allow" of required type "AuthStrategy!" was not provided.**

GraphQL request:852:41
852 | type ClientDetails @model @auth(rules: [{and: [{allow: owner, ownerField: "tenan
    |                                         ^
    | t", identityClaim: "custom:tenant"}, {or: [{allow: owner, ownerField: "owner"},

Field "and" is not defined by type "AuthRule".

GraphQL request:852:42
852 | type ClientDetails @model @auth(rules: [{and: [{allow: owner, ownerField: "tenan
    |                                          ^
    | t", identityClaim: "custom:tenant"}, {or: [{allow: owner, ownerField: "owner"},

**how do resolve this?** share if have any reference Documents, for creating
schemas in graphql structure related multitenant.

Accepted Answer

Thank you for reaching out to us regarding the above query.

As mentioned in the error message, field "and" which is being used in the @auth rules is not defined by type "AuthRule". Kindly note that, in Amplify when combining multiple authorization rules in your schema, they are "logically OR"-ed. Hence, the correct syntax of your schema would look like below :

```
type ClientDetails 
@model 
@auth( 
  rules: [ 
    { allow: owner, ownerField: "tenant", identityClaim: "custom:tenant" } 
    { allow: owner, ownerField: "owner" } 
    { allow: groups, groups: ["Customers"], operations: [read] } 
    { allow: groups groups: ["Admin"] operations: [create, update, read] }
  ] ) {
id: ID! 
tenant: String! 
OrganizationName: String! 
SuperUser: String! 
}
```
* https://docs.amplify.aws/javascript/build-a-backend/graphqlapi/customize-authorization-rules/#configure-multiple-authorization-rules
* https://docs.amplify.aws/javascript/build-a-backend/graphqlapi/customize-authorization-rules/#configure-custom-identity-and-group-claims

Further, you might be aware that, combining Owner/Groups rules for Multi-Tenant Apps is an active Feature Request in Amplify and the internal team is aware of it. However, you may refer to the discussion done in the below GitHub Issue which mentions some of the workarounds used by different Amplify Community users.
* GitHub Issue (Feature Request) : https://github.com/aws-amplify/amplify-category-api/issues/449
* Possible Workaround : https://github.com/aws-amplify/amplify-category-api/issues/449#issuecomment-1129361090

Having said that, in case you face further challenges, please feel free to open a support case with AWS using the following [link](https://support.console.aws.amazon.com/support/home?#/case/create).

how to @auth Combining Owner/Groups rules for Multi-Tenant Apps?

관련 콘텐츠