Assigning roles to new partials



Hi there,

We have been using Realm for a few months now and we are currently investigating if and how we should use users, roles and privileges. I think that the Query-based Sync Permissions are pretty straightforward, but I still have some issues with assigning the correct roles.

Say that we have an identity provider (in our case Cognito) and we have Realm roles to reflect the privileges for each user and the companies that they belong to. How do we assign the correct roles when someone logs into Realm for the very first time? I thought of a few options, but I have issues with each one of them:

  1. The client “knows” which user it is in our use pool, and after authentication it also knows the user’s Realm identity. We could apply some simple mapping to automatically let the client assign its own roles (e.h. “user125124” and “company124”). However, that means we need to trust the client and a client could take advantage of this mechanism by assigning itself to any role while they are not supposed to.

  2. A better solution would be to assign the correct roles when the user authenticates, but the authentication action does not actually create an identity for the synced user (as far as I know). This means we know the user from our identity provider, but now we do not know which “__User” should have this role.

  3. Ok, ok, let’s do it a bit later then? We could create another process that catches the creation of any new user role (e.g. “__User:ebb912…”), but… now we do not know which user actually created this role, right? Dead end there.

  4. What if we could actually catch a login of any user? I presume we can then actually fetch the identity of the synced user AND also have the credentials and/or its metadata that were used for acquiring access to Realm using our identity provider. We now have an authorized service that can assign roles to new partially synced users, am I right?

So, say that the fourth option actually is the way to go, how would I accomplish that? Is there a way to “listen” for logins for opening op partial Realms? Maybe there is another option that I did not think of that works for our case?

Kind regards,




You could automatically assign roles by creating your own custom authentication function that extends the authService here -

If the response from your 3rd party provider contains metadata about the role the user is a part of then you can call a function within the createOrUpdateUser callback to add that user to a particular role.

A unique role is also automatically created for every user in the system when they first connect: __User:. The user is also automatically a member of this role.

I’d probably recommend that you create a common Realm that is shared by all users that contains minimum profile information about users including what teams they are a part of and therefore what roles they should be a part of - take a look at the common realm design here -


I’ll definitely try that out. I guess that I didn’t realise that the auth server could be a custom solution separate from the ROS. Are there any recommendations for hosting the auth provider and disabling the ROS auth provider?

This information was helpful, thanks!


@jvboot So you would create your own customAuth provider in node.js and use the realm-object-server library - see an example here -

You would then run the realm-object-server node.js app on infrastructure of your choice just like any other app.