Hello,
for a use case I need to support segregation of duties across multiple
applications.
Segregation of Duties (SoD) is a mechanisms that prevents
accumulating of
too
much power in the hands of a single person. It places a constraints
on
assignments
of entitlements to users. For example SoD may prevent a single user
to
create a
request and also approve it.
Have you already considered adding this feature?
In the context of Keycloak this would mean to specify that two roles are
mutually exclusive determined based on the overall effective roles of
a user - the same may to service accounts.
Issue is here:
https://issues.jboss.org/browse/KEYCLOAK-3307
Some thoughts about adding that to Keycloak.
Support for “Segregation of Duties” (SoD) for a realm could be controlled
with
an on/off switch.
If SoD is enabled an administrator can select a set of roles which are then
treated
as mutually exclusive to the given role when creating or updating a role.
Mutually exclusive roles could be stored as a pair of role1:role2 (with
their ids) in a table
like e.g. keycloak_roles_mutex or keycloak_roles_sod.
If role1 is mutually exclusive to role2 then role2 is mutually exclusive to
role1.
-
Creating / Updating a Role with SoD
When creating a new or editing an existing role (role1), an administrator
could configure SoD by specifying a list of roles that are mutually
exclusive
to the current role (e.g. role2) -> perhaps called “Segregation of Duty
Roles”
-
Validating a role assignment with SoD
When assigning a role to a user, keycloak would check if the given role
combined with any effective role of a user matches a registered pair in the
keycloak_roles_mutex table.
If this is the case the assignment would be rejected with an error, perhaps
indicating
which roles cause the conflict. Otherwise the role can be assigned.
Same would apply to roles added to groups when a user wants to join a group.
-
Special Case: Updating a Role with SoD
When configuring SoD for an existing role it might happen that there exists
already a
user role mapping with an then invalid configuration. In that case an SoD
cannot be
enabled for the given role until the conflicting role mappings are cleared.
Until Keycloak provides a way to inspect granted and effective roles
assigned to a user
in more detail users would need to fall back to database queries to find
all conflicting
user role mappings.
-
Removing a Role with SoD configuration
When a role is removed and it had SoD roles configured those mappings must
be removed as well.
Thoughts?
Cheers,
Thomas