[keycloak-user] Share resource by checking if some other user is in a certain group

Or Harary harary.or at gmail.com
Wed Feb 14 07:11:41 EST 2018


Hi,

Thanks for the response.
I have a policy which checks if a user is in a certain group which is
related to the resource, but my case is a bit different because I want to
check if another user (not the one who calls the authorization api) is in a
group.
I'll try to explain some more-

I have one case like this:

some resource with the following path:
/company/{company id}/resource_name/{resource_id}

a group representing the company with the name:
/company/{company id}

Users who are managers in the company are in this group.
I have a group mapper which puts the groups with their full path inside the
token.
This way it's easy for me to check if a user has access to a company's
resources by a JS policy (match the groups companies ids with the resource
uri).

My different case with the wallet is that the resource is not held by the
company, it's the user's resource and this resource should be "visible" by
multiple company's in the right conditions.
This resource URI is:
/{user-1-id}/wallet/{wallet-id}
as I mentioned before

So when a "manager" (a user in a company's group) try to access a different
user resource like this, I don't have the option to check groups, because I
need the resource owner groups and not the groups of the user who requests
the permissions.
Hope it clears the question a little more.

With the improvements you mentioned about the user managed access will it
be possible to control it by a policy or will it be implicit by specifying
specific users which will be able to access this resource? because I need a
dynamic solution (managers can always change)

On Wed, Feb 14, 2018 at 1:53 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

>
>
> On Tue, Feb 13, 2018 at 4:50 PM, Or Harary <harary.or at gmail.com> wrote:
>
>>  Hello,
>>
>> After some time of using keycloak which works great for most of my
>> demands,
>> I wanted to know if it's possible to create a permission with a policy
>> that
>> will tell me if some user (not the one which is logged in) is within a
>> certain group.
>>
>> For example:
>>
>> User 1 have a digital wallet.
>> This digital wallet have a resource:
>> name: /wallet/{wallet-id}
>> uri: /{user-1-id}/wallet/{wallet-id}
>> scopes: charge/read/...
>>
>> User 2 have a company which is represented as a group
>>
>> User 2 wants to charge user 1 digital wallet but I want him to only be
>> able
>> to do so when user 1 is inside user 2 company's group
>>
>> How can I check this with a policy?
>> Or somehow share user 1 resource with user 2 by a policy?
>>
>
> We are introducing some changes to authorization services in order to
> update implementation to UMA 2.0.
>
> One of the main features we are delivering is the user-managed access part
> we were missing in current implementation, where users are allowed to share
> their resources.
>
> We are also providing some RESTful endpoint which your applications
> (resource servers) can use to manage permission requests.
>
> Right now, I think you can try a JS policy that checks for the group and
> the user allowed to access a resource. Let me know if you are able to do
> so, if not we have space to improve what we expose via the Evaluation API
> (the objects exposed to policies with the permission being requested +
> context).
>
> Regards.
> Pedro Igor
>
>
>>
>> Thanks!
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


More information about the keycloak-user mailing list