<div dir="ltr">Hi Pedro,<div><br></div><div>I have just started looking at the <span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5">Keycloak Authorization Services that was introduced in 2.0.0.Final.</span></div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5"><br></span></div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5">I too have a similar use case. For example, we have a project management system where projects belong to a project manager. A project manager can have more than one project. Each project manager has access to only their own projects.</span></div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5"><br></span></div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5">Project Managers in turn report to Portfolio Managers. So a Portfolio Manager should be able to access all his/her project manager's projects.</span></div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5"><br></span></div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5">At the moment, how we handle this is by having a seperate mapping within the application and since we build/own the applicaiton, we filter out the JPA query results based on the above rules.BTW, our services are REST based (i.e. JAX-RS) KeyCloak is essentially used for Authentication via a federated LDAP/AD provider and we use Keycloak roles to protect the services/front end screen options.</span></div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5"><br></span></div><div><font color="#212121" face="helvetica neue, helvetica, arial, sans-serif">Are you saying that we can filter the data outside the application via </font><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5">Keycloak Authorization Services? Maybe I need to start looking at the demo examples a bit more.</span></div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5"><br></span></div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5">I believe Rong's use case is also the same so hope I have not hijacked this thread.</span></div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5"><br></span></div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5">Cheers</span></div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5">Travis</span></div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5"><br></span></div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5"><br></span></div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5"><br></span></div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5"><br></span></div></div><br><div class="gmail_quote"><div dir="ltr">On Sat, 30 Jul 2016 at 09:51 Pedro Igor Silva <<a href="mailto:psilva@redhat.com">psilva@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Rong,<br>
<br>
Can you provide more details about your use case ? For instance:<br>
<br>
* Are you the service owner ?<br>
* Is your service using a REST-style ? How the API looks like ?<br>
* Is your service already protected using a bearer token ?<br>
* How are you representing the user's unit ? Realm, Group, role or just a user claim/attribute ?<br>
* What is behind: "Users should not have the access to patients in a unit that they are not authorized". What "not authorized" really means ? What kinds of policies you want to apply ?<br>
<br>
From what you described, it seems that you can achieve what you want with different approaches. It all depends on what you really need and how fine-grained you want to be. For instance, units can be represented as groups in Keycloak. You can enforce group membership in your application by introspecting the bearer token (issued by a Keycloak server to some client). The same logic applies if you are using roles or attributes to represent units.<br>
<br>
In 2.0.0.Final, we have introduced Keycloak Authorization Services. This one is related with externalized and fine-grained authorization, which gives you great flexibility to define, manage, deploy and enforce authorization polices to your application and organization. Indeed, one of the protocols we are supporting (not fully, yet), UMA, is pretty much based on several healthcare use cases. For instance, you can manage the policies that apply to patient records in Keycloak and also let Keycloak enforce these policies to requests sent to your application. In this case, you can define not only a "from unit have access" policy, but also apply even more fine-grained policies to your service using the different policy providers (ABAC and Context-based, RBAC, Time-based, Rules-based, User-based, more to come...) we provide. We are still missing some very nice parts of UMA though, as currently we are focusing on API security use cases. But I hope to get those missing parts implemented soon.<br>
<br>
Regards.<br>
Pedro Igor<br>
<br>
<br>
----- Original Message -----<br>
From: "Rong Sang (CL-ATL)" <<a href="mailto:rsang@carelogistics.com" target="_blank">rsang@carelogistics.com</a>><br>
To: <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
Sent: Friday, July 29, 2016 5:23:20 PM<br>
Subject: [keycloak-user] How to implement this using Keycloak<br>
<br>
<br>
<br>
Hi all,<br>
<br>
<br>
<br>
I’m doing a POC using Keycloak. The normal authentication/authorization features work well, but I have the following requirement that cannot find a straightforward solution for. I hope some security experts in the mailing list can point me to the right direction.<br>
<br>
<br>
<br>
Here is the requirement. A hospital has multiple units. Users should not have the access to patients in a unit that they are not authorized. I have one service that returns a list of patients across units. What’s the best way to set up authorization for this service?<br>
<br>
<br>
<br>
As I said earlier, I cannot find a feature for me to implement this. Any idea is greatly appreciated.<br>
<br>
<br>
<br>
Thanks,<br>
<br>
<br>
<br>
Rong<br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote></div>