[keycloak-user] Group Level Roles Not Honored by Policy Evaluation Tool

Tue May 9 14:10:42 EDT 2017

I think you are right, Bill. This seems to be working already.

I have written a test for role policy evaluation and group roles are
working from both authorization endpoints and evaluation tool.

@Jeremy and @Bettina, it seems you are using 3.1.0.CR1. Could you try with
3.1.0.Final, please ?

Regards.
Pedro Igor

On Tue, May 9, 2017 at 11:36 AM, Bill Burke <bburke at redhat.com> wrote:

> The policy evaluation tool should be validating roles based on group
> membership.  I thought i fixed that, but I guess not.
>
>
> On 5/9/17 7:38 AM, Pedro Igor Silva wrote:
> > You are right. We are not considering roles associated with groups. We
> also
> > lack a group based policy ....
> >
> > For the former, I've created https://issues.jboss.org/
> browse/KEYCLOAK-4874.
> > For the latter we have https://issues.jboss.org/browse/KEYCLOAK-3168.
> >
> > Will start working on those two issues before next release.
> >
> > On Tue, May 9, 2017 at 5:13 AM, Hübner, Bettina <
> Bettina.Huebner at kvbawue.de>
> > wrote:
> >
> >> Hi Jeremy,
> >>
> >> I noticed the same behaviour and it still happens in version 3.1.0.CR1.
> >> Effective Roles are not taken into account by the Policy Evaluation
> Tool,
> >> only roles assigned directly to a user.
> >>
> >> Best regards
> >> Bettina
> >>
> >>
> >>
> >> -----Ursprüngliche Nachricht-----
> >> Von: keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces@
> >> lists.jboss.org] Im Auftrag von Jeremy Majors
> >> Gesendet: Montag, 27. Februar 2017 22:57
> >> An: keycloak-user at lists.jboss.org
> >> Betreff: [keycloak-user] Group Level Roles Not Honored by Policy
> >> Evaluation Tool
> >>
> >> I have setup my users to have the 'read' role by associating that role
> to
> >> a group which my users have been associated with.  While testing the
> >> policies for a resource using the Policy Evaluation tool I determined
> that
> >> the roles associated with the groups weren't being picked up and the
> user
> >> was being denied access to the resource (please note that when I looked
> at
> >> the user's roles I did notice that 'read' was listed as an effective
> >> role).  When I removed one of the users from the group and directly
> >> assigned the 'role' to the user then I was able to successfully access
> the
> >> resource using the Policy Evaluation tool.
> >>
> >>
> >> Can anyone else reproduce this issue?  It's unclear whether it could be
> >> related to KEYCLOAK-2964, which has been closed.
> >>
> >>
> >> Thanks in advance,
> >>
> >> Jeremy
> >>
> >> Privileged/Confidential Information may be contained in this message. If
> >> you are not the addressee indicated in this message (or responsible for
> >> delivery of the message to such person), you may not copy or deliver
> this
> >> message to anyone. In such case, you should destroy this message and
> kindly
> >> notify the sender by reply email. Please advise immediately if you or
> your
> >> employer does not consent to Internet email for messages of this kind.
> >> Opinions, conclusions and other information in this message that do not
> >> relate to the official business of my firm shall be understood as
> neither
> >> given nor endorsed by it.
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>