I am using Hasura for the GraphQL API. I have also configured RBAC using Hasura. For example, for the Manager role, I granted access to the following columns in the users table for Read operations: id, name, email. Can I use Hasura to configure column-level access control—for example, to show the value of the email column only for users who belong to the same organization (another table) as the user making the request and who has the Manager role, and show NULL for others? I know that Hasura supports conditional access to rows, but what about applying the same logic to the visibility of values in specific columns?
In a nutshell, what you are describing can be accomplished by using multiple roles. A user has 1 default role but can have many allowed roles.
It seems you want to have a user be able to access certain columns for all rows and other columns only based upon a specific condition. If that is the case, you likely need multiple roles. A good example of this might be a comments table, where a user can see certain public columns for all rows and then perhaps a separate set of privileged columns for records they have authored. This can be accomplished with multiple roles but that requires multiple requests.
You can also make a view based on the users table that is just SELECT id, email FROM users and give it permissions that only allow row access if the company matches of the row matches that of the user. On the main table, give no email column access and join the view to the main table in an object relationship.
Of course, regardless, you need relationships set up that allow you to look up the company that the current user's X-HASURA-USER-ID is associated with.
You can also make a DB function that takes in the user id as a parameter and does the logic in the SQL function to only show the email values conditionally. This can be a bit of an "icky"er solution.