<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:#1F4E79;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<p id="janusNET.janusSEAL.Outlook.ProtectiveMarking.Body.Prefix" style="text-align: left; font-family: 'Arial'; font-size: 9pt; font-weight: normal; font-style: normal; text-decoration: none; color: #000000; ">
Classification: INTERNAL</p>
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F4E79">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">I’ve been looking at all the Authz examples with 2.1.0 CR1, and I’ve been trying to fit/model them for my application.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">Let’s say there’s a feature in an application to process loan applications. Possible actions on a loan application are to view, edit, approve or reject them. However, users can take specific actions on applications
based on the geographical zone in which requests are raised. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">For e.g. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">User A can view applications across all Zones, but approve or reject applications only if they are from Zone A.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">User B can only view applications from Zone B, and cannot do anything else.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">User C can do all actions for all Zones.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">In the authorization tab, Loan Application is created as a resource, with scopes created for each action (view/edit/approve/reject).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">Scope based Permissions are created for each scope, and are attached to a policy. Now the policy is where I’d to implement the check on the zone.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">I could create each Zone as a group or as a client role. I chose to create a client role for each Zone.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">Now, if user A logs in to the application, I have a screen where they can search for applications to view/process. User A should get to see a list of all applications, since he has view access to all, but only
process <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">When I request for an authorization through the entitlement API, the response tells me that Zone A and Zone B are the client roles, and view and approve and reject are allowed scopes, but does *<b>not</b>* say
that Zone B scope is only view, and Zone A scopes are view, approve and reject. The response is a list of client roles and scopes (with resources), but does not link the client role to a resource-scope combination. I couldn’t find a way to make individual
requests (like tell me what scopes are allowed for this resource, for this particular client role/group?)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">As a result, I cannot use the idea of creating zones as either client roles or groups.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">How then do I model this in KeyCloak? Thank you for reading the long example, and looking forward to a response!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F4E79">Regards, Ushanas.<o:p></o:p></span></p>
</div>
<P>This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entit.</P></body>
</html>