[keycloak-user] Multitenancy and further segmentation

BlackBellamy blackbellamy at posteo.de
Sat Apr 22 09:22:19 EDT 2017 

Hey there,

we are currently developing the following web service and are uncertain
how to achieve our goals with the aid of Keycloak as IAM:

To understand the problem I'll try to explain the case from the
non-technical side:
Youth welfare sector; organizational head managing different facilities;
these facilities provide different offers; each facility has it's own
employees which belong to 1..n of these offers; the employees shall
document data online about e.g. the attendees (e.g. to record progress
etc); we have to take care of very strict data protection guidelines
(especially in this sector)


Now more technically:
1) Several tenants/OUs (the facilities) will use a single web service to
record sensitive data about their patients
2) These tenants are not allowed to view other tenant's records
3) Furthermore these tenants will be graduated into departments (the
different offers)
4) A tenants user shall be able to e.g. 'write record type A' for 1..n
departments. We'd need these roles per user (and preferably per
department, as user A may not have the same rights in each dept)
5) A tenant will have one user to manage the other users, but without
the possibility to grant himself superior rights than that
6) There shouldn't be any admin (master or other realms) that is able to
manage 'everything' online (as it implies to many possibilities for data
abuse)


Our thoughts for now are as follows:
1/2) Each facility will be represented by one realm -> strict bounds
3) A department(offer) will be represented by a group -> employees can
belong to 1..n offers
4) A user will be assigned to the roles (e.g. 'write record type A'),
BUT we won't be able to differentiate between department-specific roles
(user A may write in dept 1, but only read in dept 2)
5) Create a user with the only role: manage-users, BUT as stated here:
http://lists.jboss.org/pipermail/keycloak-user/2015-August/002814.html
He can grant himself superior rights. As JIRA is not accessible at the
moment I cannot examine the progress on that ticket.
6) Not sure about the feasibility: delete any admins and create/manage
realms over API


So far we have covered most of our goals, but have some critical
problems on items 4 - 6. Do you see any solution? Or would recommend a
completely different strategy to cover our goals?

Thanks a lot in advance!


--
Fair winds,
Black Bellamy

More information about the keycloak-user mailing list