You cannot directly use a field's value (isPrivate) to conditionally apply authorization rules within the schema alone. The @auth directive operates at the type and field level but does not support dynamic rules based on field values.

To achieve this

1. Use Custom Lambda Resolver.

This allows you to read the isPrivate field in the request, check the user's ownership or group membership, and allow or deny access accordingly.

2. Or Implement Field-Level Authorization in the schema. (If only some of the fields should protected)

Split SomeEntity into fields with separate rules, e.g., privateField for owners and publicField for everyone.

Example :

type SomeEntity
  @model
  @auth(
    rules: [
      { allow: groups, groups: ["user"], operations: [create] }
      { allow: owner, operations: [read] }
    ]
  ) {
  ....
  .....
  privateField: String @auth(rules: [{ allow: owner }])
  publicField: String
}