hasScope
Requires the user to have a specific permission scope on a resource Uses Keycloak UMA 2.0 for fine-grained authorization
Two modes of operation:
- Argument mode (default): Extracts resource ID from GraphQL arguments (for mutations/queries)
- Field mode (fromParent=true): Extracts resource ID from parent object (for field-level permissions)
directive @hasScope(
resource: String!
scope: String!
resourceType: ResourceType!
fromParent: Boolean = false
) on FIELD_DEFINITION
Arguments
hasScope.resource ● String! non-null scalar
The resource ID source:
- In argument mode: The argument path (e.g., "id", "input.strategyID")
- In field mode: The field name on parent object (e.g., "strategyID")
hasScope.scope ● String! non-null scalar
The permission scope to check (e.g., "edit", "delete", "view", "backtest")
hasScope.resourceType ● ResourceType! non-null enum
Resource type for O(1) lookup. Required for proper permission checking.
hasScope.fromParent ● Boolean scalar
If true, extract resource ID from parent object's field instead of arguments. Use this for field-level permissions on types (e.g., Backtest.result checking Strategy permission)