EXTENSION: User Permissions and Roles


Currently the API’s that we are creating simply allow access to the individual records in DynamoDB for that particular UserID. That is Create a note for user test@example.com. The GET request retrieves all the notes for that userId etc.

How can we extend this functionality to include permissions for individual users that sign up in this serverless environment with Cognito?

For example:

  • an ADMIN role can see all notes in the system and tweak individual permissions.
  • an NO-ATTACHMENT role can create notes but not upload attachments

In standard web app development, you could create this as a “Users” table in your db and reference it with your User class as a part of your authentication.

Yeah that is a good idea. I’ve added it to the list here - https://github.com/AnomalyInnovations/serverless-stack-com/projects/1

How would you go about editing the user roles? Would there be some sort of an admin panel for this?

Awesome. Yea I would create an admin panel to manage this.

How to edit the user roles depends on whether there is any kind of out-of-the-box Cognito functionality that achieves this? I’d prefer not the re-create the wheel.

I know that its possible to trigger lambda functions via Cognito Identity User Triggers (potentially Pre-Authentication). Using this method, we could have a ‘UserRoles’ table that has the uuid of the user and have another column for ‘Role’, which would have to be referenced in that pre-auth trigger for each request.

Do you have any better ways of getting this going?

Have you explored the idea of using Cognito User Groups?

Wow, I just took a high-level look at this and from the outset it looks like exactly what I’m after!

Thanks jayair!

1 Like

Hey, did you ever implement this? Have any code examples you willing to share?