[keycloak-user] getting resource owner and loggedin (identity) user attributes in evaluation context
Suresh Mali
sursma at yahoo.com
Sat Jan 5 08:26:30 EST 2019
Each user has one or more resource e.g. 'account'
Each user is assigned one or more agents. (agent is different user in the system with role agent)
I have added them in user attributes e.g let us say there is user_a who has account resource
there are users with agent roles say 'agent_a', 'agent_b', 'agent_c'
In user_a is attribute I have added attribute
allowed_agents = [ 'agent_a' ,'agent_b']
in agent_a & agent_b have attibutes
allowed_users = ['user_a'] Now in policy evaluation I want to ensure when agent_a & agent_b try to access resource owned by user_a they are allowed while agent_c is not allowed
how do I access resource owners attributes and or identity ownes attributes
I want to write a evaluation like something like this
is it possible to get $permission.resource.owner.attributes["allowed_agent"]to return ['agent_a','agent_b']or $identity.attributes['allowed_users'] to return ['user_a'] so that I can evaluate the match
something like beowrule "Authorize Resource Owner"
dialect "mvel"
when
$evaluation : Evaluation(
$identity: context.identity,
$permission: permission,
$permission.resource.owner.attribute['allowed_agents'].indexOf($identity.id)
)
then
$evaluation.grant();
end
More information about the keycloak-user
mailing list