Amplify-cli: Cognito superuser group or user 'type'

I'm looking for something similar to this. I tried getting it to work by adding multiple rules to my GraphQL schema, in the hopes that it would auth owner OR groups:

  @auth(rules: [
    { allow: owner },
    { allow: groups, groups: ["admin"] }
  ])

but Mutation (create) as an owner fails with an _Unauthorized_ error since it only checks if the user is in one of the allowed groups - (owner is required but it never sets $isAuthorized to true). If $isAuthorized was set to true after the ownership injection... here: https://github.com/aws-amplify/amplify-cli/blob/d11aef51abd75d4e2f4df4af68abd9c1b8befc90/packages/graphql-auth-transformer/src/resources.ts#L256 it would fix the create issue (assuming no other issues with update/delete). You could then have "superuser"-like functionality by just including an admin group.

The Query resolvers (get, list) look like they will work fine since it checks owner OR group by each individually setting $isAuthorized.

I think, in the long term, having users pass a custom boolean expression to the transformer via the schema would be the most expressive solution. Actually, the current schema generation situation is a chain of AND expressions against the auth rules.

i.e. boolean logic for current implementation of your schema

isOwner && isInGroup(x for x in cognitoGroups) is what this tool generates for you, right now.

Was trying the same admin rule thing @dennyferra tried. Can't really see a good reason why that wouldn't be the way it worked. Would be nice if it did.

@dennyferra What you are doing should work but I believe it was a bug when using both group auth and owner auth together. This should be fixed in this PR https://github.com/aws-amplify/amplify-cli/pull/285. I'll add this exact case as a test case to verify.