[keycloak-user] Keycloak relations between resources in a system
Kirill Liubun
igneuslynx at gmail.com
Thu Jun 29 12:26:54 EDT 2017
Hi there,
I am new to keycloak and try to use it as auth server in my solution.
I have next entity's model: the *devices* are owned by a particular
*company* to which belongs some *users*. A user with role *admin* can grant
permission for viewing some set of devices to a regular user but only those
devices that belong to admin's company. Thus all users except admins can
view the only subset of all devices in the company. Based on requirements I
decided to make a company as *group* and devices as keycloak's *resources*.
To evaluating permissions I chose *rule-based policy*. The problem is I ran
into next question about hot to implement other relations and business
rules:
1.
Can I set the group as an owner of the resource to check this relation
in policy?
2.
Which mechanism better to use in my case to grant view permission on a
particular device to a regular user?
If someone is more experienced in keycloak and knows how to better
represent such model, please help.
Thank you in advance.
*P.S.*
For the second question I have two solutions:
- Create on each device new role which name consists of *device's name* +
word *view* (This solution has big disadvantage because If user has over
1000 devices the *Permission Ticket* will be very huge)
- Represent mapping between user and device via scope -- when you admin
set relation between particular device and user to the resource (device)
added scope which name consists of *user id* plus word *view* (I know it
is not good way to use scopes but I have no idea can better configure this
relation in keycloak)
More information about the keycloak-user
mailing list