Roles

Use the roles property to specify the allowed roles for an operation. Use the Neo4jGraphQL config option rolesPath to specify a object path for JWT roles otherwise defaults to jwt.roles.

The following type definitions show that an admin role is required for all update operations against Users.

type User {
    id: ID
    name: String
}

extend type User @auth(rules: [{ operations: [UPDATE], roles: ["admin"] }])

If there are multiple possible roles you can add more items to the array, of which users only need one to satisfy a rule:

extend type User @auth(rules: [{ operations: [UPDATE], roles: ["admin", "super-admin"] }])

RBAC

Here is an example of RBAC (Role-Based Access Control) using roles:

type CatalogItem @auth(rules: [{ operations: [READ], roles: ["read:catalog"] }]) {
    id: ID
    title: String
}

type Customer @auth(rules: [{ operations: [READ], roles: ["read:customer"] }]) {
    id: ID
    name: String
    password: String @auth(rules: [{ operations: [READ], roles: ["admin"] }])
}

type Invoice @auth(rules: [{ operations: [READ], roles: ["read:invoice"] }]) {
    id: ID
    csv: String
    total: Int
}

Was this page helpful?