From the docs:
- A privilege configuration object defines, for a given resource, what actions are permitted.
- A membership configuration object dynamically defines which authenticated resources are members of a given role.
I’m struggling a bit to understand how these differ / which one to use.
Say I have a collection of users
.
Some of them have a property like type: default
which means they should only be able to read other users
and write their own user object.
Some have type: admin
which means they can read and write to all users.
For this scenario, which of these approaches is the right one?
- Set up 2 custom roles (one for default, one for admins) and then use the membership parameter to determine what role they belong to via the
user.type
attribute - Set up 1 custom role (where all users are members) and for each permission type set a lambda that dynamically checks whether a user is of type admin or is editing his own account?