[keycloak-user] RBAC : adding permissions to roles

Avinash Kundaliya avinash at avinash.com.np
Mon Jan 9 08:45:21 EST 2017 

Hi Stian,
Thanks for the prompt response, I have probably read through the guide a 
number of times, Its helpful but it takes a while (and some struggle) to 
probably understand it and implement in practice.

Is there an example of how to do this simply, or would one have to 
create scopes (which is like a permission), policies (one for each role) 
and permissions, that would map the role to a scope ?

Also, possibly a related question, does role-type policy also take in 
account roles that a user gets effectively because of a composite role? 
If so, the "Evaluate" page always gives me a Deny. Another approach, If 
i add the scope to each policy, then it still gives me a Deny (I tried 
setting the strategy to Affirmative, still didn't help).

I hope the description isnt abstract, if so I will try to add 
screenshots next time.

Regards,
Avinash


On 1/9/17 19:14, Stian Thorgersen wrote:
> You can either use our authorization services (see 
> https://keycloak.gitbooks.io/authorization-services-guide/content/) to 
> manage permissions centrally through Keycloak or you can manage it on 
> your own within the application.
>
> On 9 January 2017 at 14:19, Avinash Kundaliya <avinash at avinash.com.np 
> <mailto:avinash at avinash.com.np>> wrote:
>
>     Hello,
>
>     I have a very basic question and am curious how to model this via
>     keycloak.
>
>     In my application I have some roles. I want to map each role to a
>     set of
>     permissions so that based on those permissions i can check if the user
>     has access to a specific action/resource in my application server.
>     (pretty much how classically RBAC is done)
>
>     I am curious if there is a defined pattern/way of modeling such a
>     behavior in keycloak, or would the best way to do this would be to
>     define and map permissions (to roles) in the application (i.e outside
>     keycloak). What is the best practice for such a case?
>
>     Regards,
>     Avinash
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>

More information about the keycloak-user mailing list