How would I prevent other roles from seeing certain values of a Query

I have an Admin Role and a Regular User Role that are of type User.

I created a

type Query{
  getUsers: [User]
type User {
  email: String @unique
  name: String
  quests: [Quest] @relation(name: "user_quests")
  #knight: Knight @relation(name: "user_knight")
  heros: [Hero] @relation(name: "user_knights")
  jobs: [Job] @relation(name: "user_jobs")
  role: UserRole
  follower1: User @relation(name: "user_follower1")
  twitter: String
  profileImage: String

that grabs all the User data, what I want is the Admin role to be able to see the email address but not the User role or the client, but with the User collection I created I need to set the permissions to read true for both the regular user role and the public client. How do I prevent the email field being request-able by those roles, and be able to request the email from admin role with the same getUsers query?

1 Like

It is not possible to hide only some fields with ABAC rules.

The workaround for Graphql to separate fields with permissions is to make a separate UserProfile type that is separate from an UserAccount type, where the former can be more public and the latter requires admin permissions.

This is also possible in plain FQL by, for example, specifying a user permission to have access to a UDF that that gets the user document and only returns the white-listed fields. But this kind of tight control is not yet available with the GraphQL API. You could create a new @embedded type that is a simplified version of the User info, but then you’ll lose benefits of the relationships, since @relation is not permitted on embedded types.

You can also have to separate UDF functions that can be accessed according to the ABAC user roles you set. For example:

type Query {
  getUsers: [User]
  getUsersForAdmin: [User]

Then in the FQL of the UDFs, you can hide specific values that are returned back with the Merge function. Here is a solution someone else implemented. Hiding some fields in the return model - #6 by Luigi_Servini

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.