Like Marek said, we are working a new set of functionalities to leverage Keycloak's
authorization model to also support fine-grained permissions.
By fine-grained, that means you'll be able to manage your resources and their
respective scopes and associate them with authorization policies that rule who,when,how
access should be granted. Where these policies can be based on ABAC, RBAC, Context-based,
etc. Some policies can be even written using Javascript (which gives you great
flexibility) or JBoss Drools.
Right now, I'm merging that code that Marek pointed out with upstream/master. However,
For latest code about this stuff, please consider [1].
I hope to get a PR this week, but fell free to take a look and try it out :)
[1]
https://github.com/pedroigor/keycloak/tree/KEYCLOAK-2753
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Duarte" <duarteetraud(a)gmail.com>, keycloak-dev(a)lists.jboss.org
Cc: "Pedro Igor Silva" <psilva(a)redhat.com>
Sent: Monday, April 11, 2016 9:48:08 AM
Subject: Re: [keycloak-dev] Attribute-based Access Control
There is authorization prototype by Pedro in progress. You can check it
here
https://github.com/pedroigor/keycloak-authz
Marek
On 09/04/16 14:45, Duarte wrote:
Hi,
My name is Duarte, and this is the first post on this dev-list.
My question is regarding Attribute-based Access Control. Is there any
usable feature for Attribute based decision for resource access? Or do
I have to make my own?
Basically what I want to do is a PEP (Policy Enforcement Point) and a
PDP (Policy Decision Point) on Keycloak with external attributes
(Federated).
e.g: User has attribute of X can only access files A<->B and User with
attribute Y can only access B<->L.
Thank you.
--
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev