[keycloak-user] Fwd: Multi-tiered Permissions
Warren, Scott
swarren at sumglobal.com
Thu Dec 27 18:51:28 EST 2018
Hi,
I need some input on the best way to solve authorization for a retail chain
scenario. Here's the scenario:
A retailer has 10,000 stores and 30,000 users
While each user has a primary store, they can work in other stores in their
region
At his/her primary store UserA (clerk) has the following scopes: POS,
DailyCloseout
For secondary stores, a UserA has only the POS scope
While there are many more scopes, and user roles, the problem to solve is
this multi-tiered permissions structure. UserA's permissions depend on the
store context.
I've set up stores as resources (of type "store"), each resource has a
storeNbr attribute
I've set up scopes of POS, DailyCloseout, SalesReports, etc.
I'm struggling with a clean way to tie a user to his/her "storeX" : [
"scopeA", "scopeB", "scopeC"]. I put this structure in as a user attribute,
and after mapping it, got it working with a javascript policy
but that's a maintenance nightmare at best.
I can set up roles with names like <storeNbr>.<scopeA>. It's better than
the user attribute route, but still feels like a hack.
I'm guessing I could write a Drools policy that could, using the identity
from the context, read from a database that contains this structure. BUT
this provider is in tech preview / not supported, so I'm not excited about
this route.
Lastly, I guess I could write a custom policy provider.
These last two require me to maintain a separate database (and app to
maintain it), so I'm not thrilled with either of them.
So, what have I missed? Is there an elegant way to solve this?
Thanks for your help!
Scott
--
Scott G. Warren
SUM Global Technology
swarren at sumglobal.com
678.469.3455
More information about the keycloak-user
mailing list