Database Reference
In-Depth Information
Fine-grained access control
In the earlier section, we saw how to restrict users from using a certain API or not allowing
some other API. However, there might be some use cases where you need to restrict certain
users from having access to item-level data. For all such cases, DynamoDB has provided
fine-grained access control on each and every item of DynamoDB tables. There could be
lots of places in your application where you would like to restrict users from accessing the
information as follows:
• In the
Employee
table, the employee name, address, and telephone number
should be visible to all the users, but the salary of an employee should be visible to
only the concerned users. This is a good example of vertical access control where
each row represents a separate user.
• Also if
x
number of employees report to manager A and
y
number of employees re-
port to manager B, then both manager A and B should be able to view details about
their direct reports. Here again, we assume that each row in a DynamoDB table
represents a single employee. We can control or restrict the access of managers to
only their direct reports.
To do such things, we can use the same policy documents, adding appropriate control state-
ments. You can add horizontal and vertical access controls to those statements and verify
the same using examples.
To understand horizontal and vertical access controls, let's continue with our
Employee
table example where we have an
Employee
table that has stored information of all the
employees. Now we will be creating a policy document that will let employees access only
their personal information and also restrict them from accessing sensitive information such
as performance rating, but allowing rest all attributes to be accessed. The following is a
policy document for the same:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
