Hiding document properties based on role

Help
,
1

I’m going to start with a simplified graphql schema:

type Owner {
  name: String!
}

type Manager {
  name: String!
}

type Property {
  name: String!
  address: String
  purchasePrice: Long
  owner: Owner! @relation
}

I have two user-types Owners and Managers. Those users have separate roles: an owner-role, and a manager-role. I want to allow managers to access owner-properties, but I want to hide the purchasePrice from them.

After trying several options, it seems my only option is to update the data model to something like this:

type Owner {
  name: String!
}

type Manager {
  name: String!
}

type Property {
  name: String!
  address: String
  owner: Owner! @relation
  ownerOnlyDetails: OwnerOnlyPropertyDetails @relation
}

type OwnerOnlyPropertyDetails {
  purchasePrice: Long
  property: Property! @relation
}

By placing the data I want to hide in a different collection, I can give Managers access to the Property type, while denying access to the OwnerOnlyPropertyDetails

Unfortunately, having to update the data model in this way introduces a lot of work in an application, so I was trying to avoid it.

Alternative Solution:

Create custom UDFs for all manager data access. This means I can't easily reuse code between managers and owners in my app, so it's not ideal. Also, I lose a lot of the benefits of graphql being able to freely query my data how I want without a lot of overhead.

Conclusion

Since Fauna's abac permissions system is document-level, there's no way to filter out document properties. It would be nice if there was a feature to define and give permission to view a subset of a document's data. Maybe Fauna could integrate GraphQL Interfaces with abac to achieve this.
2

This is not a feature that we plan on taking on. We’ve moved this topic from Feature Requests to Help, so that folks can still see the workaround.

Whether you are using the GraphQL API or querying the database directly with FQL, the appropriate thing to do is use separate Collections if you need different privileges for some data.