[keycloak-user] Fwd: Multi-tiered Permissions
Warren, Scott
swarren at sumglobal.com
Fri Dec 28 09:54:14 EST 2018
I like the idea of only creating one store resource! I see the benefit of
pushing the current store as a claim. Is there a way for a policy to get
the request URI to extract the store number (GET /stores/{storeNbr}/sales)?
That seems ideal (provided the storeNbr is in the URI).
I've got the user's primaryStoreNbr as a identityAttribute, so that's no
problem.
Unfortunately, this doesn't solve my real problem, which is storing the
user-to-store-to-scope relationships somehow in Keycloak. While I can do
some common permission consolidation using groups, I've got to have the
following for each of my 30K users so that my policies have the information
they need to make decisions:
{
"user" : "userA", <--identityAttribute
"primaryStoreNbr" : "2001", <--identityAttribute
"storePermissions" : [
{
"storeNbr" : "2001",
"scopes" : [ "POS", "DailyCloseout", "SalesReports"]
},
{
"storeNbr" : "2002",
"scopes" : [ "POS", "DailyCloseout"]
},
{
"storeNbr" : "2003",
"scopes" : [ "POS"]
},
{
"storeNbr" : "2004",
"scopes" : [ "POS"]
}
]
}
So, do I need to maintain a separate database for (and app to maintain)
this data?
If I'm forced into that :( I can use the identity to do an external DB
lookup for the user permission information. Can I do this with a Drools
rule, or would it be better just to create a custom provider?
More information about the keycloak-user
mailing list