API access based on client & user logged in

I am sorry if this question has been asked before. But after a lot of searching I am more confused now.
My problem statement:

So I have multiple endpoints written with the help of AWS API Gateway integrated to AWS Lambda. Our users lie in AWS Cognito User Pool.
Now we given clients the ability to pick & choose which APIs they want to subscribe to.

To add an extra layer of complexity, each user within one client can also have different access level for APIs.

How Do I implement authorization such that access level are fine-grained upto user-level?

Hey there @utkarshdeep welcome to the community!

I’m not entirely sure I follow your specific use case, but you definitely have options! I would look into RBAC, perhaps using metadata in user’s profiles, and/or FGA to see if anything might work for your needs.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.