We have been using Realm for a few months now and we are currently investigating if and how we should use users, roles and privileges. I think that the Query-based Sync Permissions are pretty straightforward, but I still have some issues with assigning the correct roles.
Say that we have an identity provider (in our case Cognito) and we have Realm roles to reflect the privileges for each user and the companies that they belong to. How do we assign the correct roles when someone logs into Realm for the very first time? I thought of a few options, but I have issues with each one of them:
The client “knows” which user it is in our use pool, and after authentication it also knows the user’s Realm identity. We could apply some simple mapping to automatically let the client assign its own roles (e.h. “user125124” and “company124”). However, that means we need to trust the client and a client could take advantage of this mechanism by assigning itself to any role while they are not supposed to.
A better solution would be to assign the correct roles when the user authenticates, but the authentication action does not actually create an identity for the synced user (as far as I know). This means we know the user from our identity provider, but now we do not know which “__User” should have this role.
Ok, ok, let’s do it a bit later then? We could create another process that catches the creation of any new user role (e.g. “__User:ebb912…”), but… now we do not know which user actually created this role, right? Dead end there.
What if we could actually catch a login of any user? I presume we can then actually fetch the identity of the synced user AND also have the credentials and/or its metadata that were used for acquiring access to Realm using our identity provider. We now have an authorized service that can assign roles to new partially synced users, am I right?
So, say that the fourth option actually is the way to go, how would I accomplish that? Is there a way to “listen” for logins for opening op partial Realms? Maybe there is another option that I did not think of that works for our case?