ah thanks. I am interested in ensuring users can only access records they own over graphql and I ended up doing something similar to what you posted in your question using middleware. I also joined today’s office hours and the advice was to use middleware instead of a policy in that case.