Roles

Use the roles property to specify the allowed roles for an operation. Use config rolesPath to specify a object path for JWT roles otherwise defaults to jwt.roles

type User {
    id: ID
    name: String
}

extend type User @auth(rules: [{ operations: [UPDATE], roles: ["admin"] }])

Above showing an admin role is required for all operations against Users. If you have multiple roles you can add more items to the array;

extend type User @auth(rules: [{ roles: ["admin", "super-admin"] }])

Users only need one of many roles to satisfy a rule.

1. RBAC

Here is a RBAC example using roles;

type CatalogItem @auth(rules: [{ operations: [READ], roles: ["read:catalog"] }]) {
    id: ID
    title: String
}

type Customer @auth(rules: [{ operations: [READ], roles: ["read:customer"] }]) {
    id: ID
    name: String
    password: String @auth(rules: [{ operations: [READ], roles: ["admin"] }])
}

type Invoice @auth(rules: [{ operations: [READ], roles: ["read:invoice"] }]) {
    id: ID
    csv: String
    total: Int
}