4

I'm developing a serverless application which includes a concept of groups which are not pre-defined (so not the classic fixed Admin/Guest...).

Those groups are indeed generated freely by the end users of the application whom then can invite other users into these groups, remove them, delete the group etc.

Being part of a group(s) allow a user to perform certain operations on entities related to that specific group.

I'm now wondering if Cognito User Groups can be used for this purpose given that those groups will be created directly from the application by the end user and potentially an infinite number of groups.

The other option is to implement my own authoriser like querying DynamoDB to check if a user is a part of specific group. I can't really find a reference to pick up the best one.

Any experience/suggestions will be much appreciated.

Moby
  • 41
  • 1

2 Answers2

0

It can work. However, keep in mind there are quotas set by AWS for the number of groups in a user pool (10,000) and the number of groups a user can belong to (100).

https://docs.aws.amazon.com/cognito/latest/developerguide/limits.html

It these limits work for your application, then it should be fine.

ZKel
  • 1
0

I think that cognito user pool multi-tenancy would work in this case: https://docs.aws.amazon.com/cognito/latest/developerguide/bp_user-pool-based-multi-tenancy.html

If you need for example to have role mappings to more than Admin Guest pattern, you can create a multi tenancy in a cognito user pool.

The above documentation uses a Student/Teacher example, but it can expand to infinity cases.

When your application evolves, you can use either CLI or SDK to include another tenancy in the same user pool and do effect tenancy to roles mappings using identity pool.

Igor Eulálio
  • 91
  • 1
  • 7