chore: add callout for granular read use case (aws-amplify#5084)

* chore: add callout for granular read use case

* Update src/pages/cli/graphql/authorization-rules.mdx

Co-authored-by: David McAfee <[email protected]>

* Update src/pages/cli/graphql/authorization-rules.mdx

---------

Co-authored-by: David McAfee <[email protected]>
Co-authored-by: Rene Brandel <[email protected]>

Author: 3 people

src/pages/cli/graphql/authorization-rules.mdx

@@ -503,4 +503,10 @@ Authorization rules consists of:
 - **authorized operations** (`operations`): which operations are allowed for the given strategy and provider. If not specified, `create`, `read`, `update`, and `delete` operations are allowed.
   - **`read` operation**: `read` operation can be replaced with `get`, `list`, `sync`, `listen`, and `search` for a more granular query access
 
+<Callout warning>
+
+If you use DataStore instead of the API category to connect to your AppSync API, then you must allow `listen` and `sync` operations for your data model.
+
+</Callout>
+
 **API Keys** are best used for public APIs (or parts of your schema which you wish to be public) or prototyping, and you must specify the expiration time before deploying. **IAM** authorization uses [Signature Version 4](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) to make request with policies attached to Roles. OIDC tokens provided by **Amazon Cognito user pool** or **3rd party OpenID Connect** providers can also be used for authorization, and enabling this provides a simple access control requiring users to authenticate to be granted top level access to API actions.