Command Permissions
To limit what commands are available to a role in your supergraph, you define a CommandPermissions object.
By default, whenever a new command is created in your supergraph, it is only executable by the admin role.
You can enable or restrict access to commands by adding a new item to the permissions array in the
CommandPermissions object. Each item in the array should have a role field and an allowExecution field. The
allowExecution field should be set to true if the command is executable by the role.
You can also use argument presets to pass actual logical expressions to your data sources to control how they do things.
For example, a data connector might expose a Command called delete_user_by_id with two arguments - user_id and
pre_check. user_id is the primary key of the user you'd like to remove, and pre_check lets you provide a custom
boolean expression.
kind: CommandPermissions
version: v1
definition:
commandName: delete_user_by_id
permissions:
- role: admin
allowExecution: true
- role: user
allowExecution: true
argumentPresets:
- argument: pre_check
value:
booleanExpression:
fieldComparison:
field: is_invincible
operator: _eq
value:
literal: false
Now, when admin role runs this command, once again, they can do what they want, and provide their own pre_check if
they want.
The user role however, is able to pass a user_id argument, but the pre_check expression is passed to the data
connector which will only let them delete the row if the row's is_invincible value is set to false.
To make a execution of a command available to a role in your supergraph, after updating your metadata, you'll need to create a new build using the CLI.
Examples
---
kind: CommandPermissions
version: v1
definition:
commandName: get_article_by_id
permissions:
- role: admin
allowExecution: true
- role: user
allowExecution: true
argumentPresets:
- argument: id
value:
literal: 100
Reference
See the CommandPermissions reference for more information.
