Serverless Stack

Hello. I would like to receive your opinion on something.

Users will have roles: `regular`  | `manager`  | `globalManager`
And different roles will have different capabilities, e.g., globalManager can create users, but regular users cannot.

I’m still not sure how I can approach this. I’m thinking to use Cognito User Pool, and attach users to IAM User Groups, and make the relevant API’s require appropriate role.

How else can I achieve Role Based Access Control model do you think?

In my opinion, I would avoid baking this into Cognito too much. I would look at having a DB where you specify roles and then in your API handler specify what users have access to. There are libraries to help with this, we are looking at <https://github.com/casbin/casbin>

I second <@U02B9DY2N5R>’s approach. We also manage RBAC ourselves.