[keycloak-dev] [authz] All permissions must pass?
Bill Burke
bburke at redhat.com
Sat Apr 1 12:20:27 EDT 2017
So all permissions must pass when evaluating a resource/scope
authorization? Just did some testing in admin console. I have 2
permissions. I used the policy evaluator for a resource/scope combo.
One permission passes, the other fails. Evaluator result is DENY:
Result
*DENY*
Scopes
No scopes available.
Policies
# *map.role.permission.realm-management.manage-authorization
<http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resource-server/permission/scope/776b79cf-57e2-4b55-b9e5-84195c89fd7a>*decision
was*PERMIT*by*UNANIMOUS*decision.
* *role.policy.realm-managementmanage-users
<http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resource-server/policy/role/29968cd1-f44e-47db-868d-c7bd61b827dd>*voted
to*PERMIT*.
* *role.policy.realm-managementmanage-authorization
<http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resource-server/policy/role/c4da0818-432a-41d2-94a8-0fc08051a609>*voted
to*PERMIT*.
# *role-mapper-permission
<http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resource-server/permission/scope/e8acb66c-fe1f-4310-946a-fbb638449e77>*decision
was*DENY*by*UNANIMOUS*decision.
* *role-mapper
<http://localhost:8180/auth/admin/master/console/#/realms/test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resource-server/policy/role/41b7d1fe-c40f-4437-93d2-aa5768227fd4>*voted
to*DENY*.
More information about the keycloak-dev
mailing list