[keycloak-user] Share resource by checking if some other user is in a certain group

Pedro Igor Silva psilva at redhat.com
Wed Feb 14 07:52:08 EST 2018 

On Wed, Feb 14, 2018 at 10:11 AM, Or Harary <harary.or at gmail.com> wrote:

> Hi,
>
> Thanks for the response.
> I have a policy which checks if a user is in a certain group which is
> related to the resource, but my case is a bit different because I want to
> check if another user (not the one who calls the authorization api) is in a
> group.
> I'll try to explain some more-
>
> I have one case like this:
>
> some resource with the following path:
> /company/{company id}/resource_name/{resource_id}
>
> a group representing the company with the name:
> /company/{company id}
>
> Users who are managers in the company are in this group.
> I have a group mapper which puts the groups with their full path inside
> the token.
> This way it's easy for me to check if a user has access to a company's
> resources by a JS policy (match the groups companies ids with the resource
> uri).
>
> My different case with the wallet is that the resource is not held by the
> company, it's the user's resource and this resource should be "visible" by
> multiple company's in the right conditions.
> This resource URI is:
> /{user-1-id}/wallet/{wallet-id}
> as I mentioned before
>
> So when a "manager" (a user in a company's group) try to access a
> different user resource like this, I don't have the option to check groups,
> because I need the resource owner groups and not the groups of the user who
> requests the permissions.
> Hope it clears the question a little more.
>

Yeah, it is clear now. Thanks.

I think we can improve the Evaluation API and expose the owner as an
object. Or even provide additional methods to check roles/groups that
accept an username/id (such as the owner as it stands today).

Other improvement we are planning is allow pushing additional claims when
obtaining a RPT (token with permissions) from the server. Not sure if this
is going to help you in this case, but you will be able to push these
claims to your policies and use them to determine a decision.

For last, there is also an issue to introduce attributes to resources ....


>
> With the improvements you mentioned about the user managed access will it
> be possible to control it by a policy or will it be implicit by specifying
> specific users which will be able to access this resource? because I need a
> dynamic solution (managers can always change)
>

By specifying specific users which will be able to access a resource. This
is not controlled by a policy, but a direct approval by the resource owner
to access some of his resources. The main idea behind this feature is
privacy. Users should be able to grant access, revoke and review access to
his resources anytime (such as using Keycloak User Account Service). But
you can also manage these permissions using the RESTful endpoints I
mentioned before.

These permissions override any result produced by the evaluation engine. If
this user-defined permission exists (and are granted), access is granted
even though your policies voted for a DENY.


>
> On Wed, Feb 14, 2018 at 1:53 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>>
>>
>> On Tue, Feb 13, 2018 at 4:50 PM, Or Harary <harary.or at gmail.com> wrote:
>>
>>>  Hello,
>>>
>>> After some time of using keycloak which works great for most of my
>>> demands,
>>> I wanted to know if it's possible to create a permission with a policy
>>> that
>>> will tell me if some user (not the one which is logged in) is within a
>>> certain group.
>>>
>>> For example:
>>>
>>> User 1 have a digital wallet.
>>> This digital wallet have a resource:
>>> name: /wallet/{wallet-id}
>>> uri: /{user-1-id}/wallet/{wallet-id}
>>> scopes: charge/read/...
>>>
>>> User 2 have a company which is represented as a group
>>>
>>> User 2 wants to charge user 1 digital wallet but I want him to only be
>>> able
>>> to do so when user 1 is inside user 2 company's group
>>>
>>> How can I check this with a policy?
>>> Or somehow share user 1 resource with user 2 by a policy?
>>>
>>
>> We are introducing some changes to authorization services in order to
>> update implementation to UMA 2.0.
>>
>> One of the main features we are delivering is the user-managed access
>> part we were missing in current implementation, where users are allowed to
>> share their resources.
>>
>> We are also providing some RESTful endpoint which your applications
>> (resource servers) can use to manage permission requests.
>>
>> Right now, I think you can try a JS policy that checks for the group and
>> the user allowed to access a resource. Let me know if you are able to do
>> so, if not we have space to improve what we expose via the Evaluation API
>> (the objects exposed to policies with the permission being requested +
>> context).
>>
>> Regards.
>> Pedro Igor
>>
>>
>>>
>>> Thanks!
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

More information about the keycloak-user mailing list