The service is configured with a Cognito authorizer that verifies the token and forwards claims. These claims include the groups that the user is a member of. At design time, we want to define the roles declaratively that are required to access privileged actions. In GraphQL, we can annotate a schema using directives. In this recipe, we define a hasRole directive and implement a resolver that checks the allowed roles defined in the annotation against groups present in the claims, and then it either allows or denies access. The resolver logic is decoupled from schema and the annotations in schema are straightforward and clean.