ABAC GraphQL permission for create/write to many-to-many collection

Assuming collections as follows… a list of clients… and the ability to connect services to a client:

Client {
 services: [Service] @relation(name: "ClientServices")
Service {
 clients: [Client] @relation(name: "ClientServices")

Note: when importing your GraphQL schema this auto-generates a ClientServices collection !!!

So trying to update a client with a new service… ie:

mutation {
 updateClient(id: ..., data : {
   services:  {
     connect: ["123", "456"] ## where there are valid service _id's
 }) { ... }

I am getting an insufficient permissions error.

Answering my own question here, to hopefully help others with ABAC and GraphQL, happy to get feedback.

The connect: ... will create entries in that generated ClientServices collection (which manages the many-to-many relationship) so you need to set the create action in your User-defined role. To be careless, set it to true. To actually control the permission, keep in mind what gets created, here is an example of an added service to a client:

### This is what happens in that generated ClientServices collection
  "ref": Ref(Collection("ClientServices"), "281757184150209036"),
  "ts": 1604963440200000,
  "data": {
    "clientID": Ref(Collection("Client"), "278378920433156621"),
    "serviceID": Ref(Collection("Service"), "278378920266433037")

So on your create action will be receiving an object with the data object similar to the one above. So lets call this object newJoinData :


Where you can access say the clientID ref with Select(["data", "clientID"], Get(Var("newJoinData")))

If you disconnect a service from a client, then you probably want to update the delete action… I’ll update this post when I know how!