I’m attempting to develop an application architecture almost exclusively on top of AWS services.
This application has both
Organization “entities”. As one might except, a
User may be an
role-y of one or more organizations. (
role-y are just placeholders for some role with some set of specific permissions. A
User may also be standalone (that is, not have a role on any
Our current thinking is to use DynamoDB to store organization and user specific data. For users this may include some basic information (address, phone number, whatever), and for organizations it may include fields like “mission statement”, “business address” and so on.
admin of an organization would be able to edit all organization fields, whereas a
role-x might only be able to update “mission statement” while reading all other fields.
Since I mentioned that a single user may have roles on many different organizations, that might look something like:
It’s also worth noting that these role assignments are modifiable. New or existing users may be invited to take on a specific role for an organization, and an organization may remove a user from a role.
This is a fairly straightforward type of layout, but I wanted to be very clear about the many-to-many nature of the user, org and roles.
I’ve been reading IAM and Cognito documentation, as well as how it relates to fine-grained control over DynamoDB items or S3 buckets – but many of the examples focus on a single user accessing their own data rather than a many-to-many role style layout.
How might one go about implementing this type of permission system on AWS?
(If policy definitions need to be updated with specific
Identities (say, for an
Organization), can that reliably be done in a programatic way – or is it ill-advised to modify policies on the fly like that?)
The above answer is outdated.
AWS has added Cognito-Groups recently. That provides more flexibility
You can use technique described in the article to achieve that: