From the docs:
- A privilege configuration object defines, for a given resource, what actions are permitted.
- A membership configuration object dynamically defines which authenticated resources are members of a given role.
I’m struggling a bit to understand how these differ / which one to use.
Say I have a collection of
Some of them have a property like
type: default which means they should only be able to
read other users and
write their own user object.
type: adminwhich means they can read and write to all users.
For this scenario, which of these approaches is the right one?
- Set up 2 custom roles (one for default, one for admins) and then use the membership parameter to determine what role they belong to via the
- Set up 1 custom role (where all users are members) and for each permission type set a lambda that dynamically checks whether a user is of type admin or is editing his own account?