[keycloak-user] getting resource owner and loggedin (identity) user attributes in evaluation context
Dmitry Telegin
dt at acutus.pro
Sat Jan 5 10:28:21 EST 2019
Hello Suresh,
I've experimented a bit with JavaScript policy, I hope with Drools things will be similar.
You can obtain a user's custom attributes using the following expression:
var attrs = $evaluation.realm.getUserAttributes(id);
where id is either $evaluation.context.identity.id (the user being authorized) or $evaluation.permission.resource.owner (UMA resource owner).
Hope this helps,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
On Sat, 2019-01-05 at 13:26 +0000, Suresh Mali wrote:
> Each user has one or more resource e.g. 'account'
> Each user is assigned one or more agents. (agent is different user in the system with role agent)
> I have added them in user attributes e.g let us say there is user_a who has account resource
> there are users with agent roles say 'agent_a', 'agent_b', 'agent_c'
> In user_a is attribute I have added attribute
> allowed_agents = [ 'agent_a' ,'agent_b']
> in agent_a & agent_b have attibutes
> allowed_users = ['user_a'] Now in policy evaluation I want to ensure when agent_a & agent_b try to access resource owned by user_a they are allowed while agent_c is not allowed
> how do I access resource owners attributes and or identity ownes attributes
> I want to write a evaluation like something like this
> is it possible to get $permission.resource.owner.attributes["allowed_agent"]to return ['agent_a','agent_b']or $identity.attributes['allowed_users'] to return ['user_a'] so that I can evaluate the match
> something like beowrule "Authorize Resource Owner"
> dialect "mvel"
> when
> $evaluation : Evaluation(
> $identity: context.identity,
> $permission: permission,
> $permission.resource.owner.attribute['allowed_agents'].indexOf($identity.id)
> )
> then
> $evaluation.grant();
> end
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list