[keycloak-user] Fwd: Multi-tiered Permissions

Pedro Igor Silva psilva at redhat.com
Fri Dec 28 13:18:11 EST 2018


If you use CIP to push the URI [1].

>From your example, I understand that by default users have access to POS.
For the primary store, they can do more. By pushing the URL (or only the
store id), you should be able to differentiate the scopes that should be
granted to primaries vs secondaries stores.

[1]
https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-rest-employee/src/main/resources/application.properties#L13


On Fri, Dec 28, 2018 at 2:57 PM Warren, Scott <swarren at sumglobal.com> wrote:

> Jumped the gun on that last response:
> 1. I can configure the policy enforcer with claim-information-point to
> extract information from the request
> 2. Assuming I'm correct in that this information is not easily stored in
> Keycloak, I need to set up an external Claim Information Point (CIP) either
> as an HTTP service or by implementing the CIP SPI.
>
> This seems like the most elegant path, though I really didn't want to
> create a separate app and DB to maintain this data.
>
> Any thoughts?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list