[keycloak-user] Fwd: Multi-tiered Permissions
Pedro Igor Silva
psilva at redhat.com
Fri Dec 28 08:20:20 EST 2018
Hi,
What if you push user's primary store as a claim to your policies and use
this information to decide the scopes he/she has access to?
It could also be useful to avoid creating a resource for each store, so you
could use a single resource and corresponding permission that matches the
store the user is accessing and his primary store (both sent as claims to
your policies).
Regards.
Pedro Igor
On Thu, Dec 27, 2018 at 9:55 PM Warren, Scott <swarren at sumglobal.com> wrote:
> Hi,
>
> I need some input on the best way to solve authorization for a retail chain
> scenario. Here's the scenario:
> A retailer has 10,000 stores and 30,000 users
> While each user has a primary store, they can work in other stores in their
> region
>
> At his/her primary store UserA (clerk) has the following scopes: POS,
> DailyCloseout
> For secondary stores, a UserA has only the POS scope
>
> While there are many more scopes, and user roles, the problem to solve is
> this multi-tiered permissions structure. UserA's permissions depend on the
> store context.
>
> I've set up stores as resources (of type "store"), each resource has a
> storeNbr attribute
> I've set up scopes of POS, DailyCloseout, SalesReports, etc.
>
> I'm struggling with a clean way to tie a user to his/her "storeX" : [
> "scopeA", "scopeB", "scopeC"]. I put this structure in as a user attribute,
> and after mapping it, got it working with a javascript policy
> but that's a maintenance nightmare at best.
>
> I can set up roles with names like <storeNbr>.<scopeA>. It's better than
> the user attribute route, but still feels like a hack.
>
> I'm guessing I could write a Drools policy that could, using the identity
> from the context, read from a database that contains this structure. BUT
> this provider is in tech preview / not supported, so I'm not excited about
> this route.
> Lastly, I guess I could write a custom policy provider.
> These last two require me to maintain a separate database (and app to
> maintain it), so I'm not thrilled with either of them.
>
> So, what have I missed? Is there an elegant way to solve this?
>
> Thanks for your help!
> Scott
>
>
>
>
> --
>
> Scott G. Warren
>
> SUM Global Technology
>
> swarren at sumglobal.com
>
> 678.469.3455
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list