[keycloak-user] Fine-grained permissions per resources on KeyCloak
Yuriy Yunikov
yuriy.yunikov at verygood.systems
Thu Jan 25 11:14:31 EST 2018
Hi everyone,
I need to create a fine-grained permissions system for backend resources
using KeyCloak and looking for potential solutions of the problem.
I've already checked resource management feature
<http://www.keycloak.org/docs/3.3/authorization_services/topics/resource/overview.html>,
but it doesn't work for me for the multiple reasons and has very limited
integration in Java, so I don't consider it anymore.
So another solution I came up with is having permission system based on
roles and composite roles
<http://www.keycloak.org/docs/3.3/server_admin/topics/roles/composite.html>.
[role-name] (composite)
- tenants:[permission] (composite)
- tenants:[tenant-identifier]:[permission] (composite)
- tenants:[tenant-identifier]:[tenant-resource]:[permission] (composite)
-
tenants:[tenant-identifier]:[tenant-resource]:[tenant-resource-identifier]:[permission]
(non-composite)
Permissions can be like create/read/update/delete and the plus of this is
that it can scale if we'd have sub-resources. On the backend, I'll be able
to create filters for these permissions and integrate it with Spring
Security.
I'm looking for opinions and would like to know if this is a valid
structure or there are some other solutions which can be used. Any opinions
on this?
Regards,
Yuriy
More information about the keycloak-user
mailing list