Apollo, data resolvers, and abac

Hi

I’m trying to understand a few topics. Please bear with me.

  1. Is my understanding correct that Apollo server is a graphql interface to your data sources? And your data source can be anything - even a graphdb server - as long as you write the necessary data source interface to pull the data.
  2. I need a way to insert policy evaluation logic into the query or mutation resolvers that Apollo will expose so that rules such as “only the manager from the Hong Kong branch is allowed to see customer data from Hong Kong”, or “the doctor from HospitalA can perform updates to patient data that he is taking care of”, etc. Assuming I have a REST API that I can call to evaluate such rules, is there a way to do this with Apollo? Do I hand code it in Apollo’s support for data sources (i.e Connect to data sources - Apollo Basics - Apollo GraphQL Docs). I’m trying to use an attribute based access control policy (as opposed to traditional RBAC).

Thanks.