Allow All Authenticated Users to Read Documents Created by Admin User Group With Amplify

Question

Consider the following model in my Schema

type Document
  @model
  @auth (
    rules: [
      { allow: private, operations: [read] }
      { allow: groups, groups: ["Admin"], operations: [update, create, read, delete] }
      { allow: groups, groupsField: "group", operations: [update, create, read, delete] }
    ]
  ) {
  id: ID!
  group: String!
  ...
}

I need my rules to do the following 3 things:

1. Users within the admin group should have full CRUD access to every document
2. Users within their usergroup should have full CRUD access to every document within their usergroup
3. All users should have Read access to documents within the Admin group

As it stands, rules 2 and 3 accomplish my first 2 requirements. However, rule 1 allows all authenticated users to read all documents. How can I restrict this access such that all authenticated users can read documents within the admin usergroup? I would prefer to not set up a lambda trigger or modify the default resolvers if it is possible to accomplish my needs by simply adding a rule.

I'm using amplify gen 1, and the React v6 framework if that matters. I've been reading their gen 1 authorization rules documentation. With everything the auth rules can do, I'm hoping I just missed a rule that would solve this with a simple amplify push!

Answer 1

I ended up realizing that I can change my schema to make the groupsField (group) a [String] and store multiple groups on the document. With that, I ended up:

1. Creating a new cognito group, added all of my users to that cognito group
2. Changing group: String! to group: [String]! in my schema and doing an amplify push
3. Once my push finished, I ran a script I made with the dynamodb sdk to grab all items in the affected tables, convert the group property from a string to a string array, and insert the new cognito group into the array

Hopefully this helps someone else down the line!