4:17 p.m.
There is a limitation here in how resource types are used. You could
achieve that if RESOURCE_1, RESOURCE_2 and RESOURCE_3 were "resource
instance", with the owner other than the resource server. But this does not
seem to be your case.
There is one way to achieve this by using a JS Policy. Still not ideal, but
something like this:
====
var permission = $evaluation.getPermission();
var scopes = permission.getScopes();
for (i = 0; i < scopes.length; i++) {
var scope = scopes.get(i);
if (scope.getName().equals("read")) {
if (// check here if the user is member of a group) {
permission.getScopes().remove(scope);
}
}
}
// grant or deny the permission
====
To check if a user is a member of a group, please take a look at
https://www.keycloak.org/docs/latest/authorization_services/index.html#ch...
.
On Mon, Jun 10, 2019 at 4:44 PM Farzad Panahi <farzad.panahi(a)gmail.com>
wrote:
Hi Pedro,
If I create a scope-based permission without specifying the resource, then
that permission will apply to all the resources.
For instance in the example I mentioned in my previous email:
I want to create permissions to give only SCOPE_READ access (not
SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA.
If I grant a permission for SCOPE_READ without specifying the resource
then basically I am granting SCOPE_READ to all the resources which is not
what I want. I want to only give SCOPE_READ to a specific set of resources.
I think as you mentioned merging resource-based and scope-based
permissions is a good idea and would work better. But now that we do not
have this feature is there any other way to accomplish this somehow using
policies or something else?
Cheers
Farzad
On Mon, Jun 10, 2019 at 5:22 AM Pedro Igor Silva <psilva(a)redhat.com>
wrote:
> You can create scope-based permission for a specific scope (without set a
> resource). Would that help?
>
> I think we could also think about merging resource-based permission into
> scope-based permission so that we only have a single type of permission.
>
> Regards.
> Pedro Igor
>
> On Fri, Jun 7, 2019 at 6:09 PM Farzad Panahi <farzad.panahi(a)gmail.com>
> wrote:
>
>> Hi,
>>
>> I have a client authorization set-up like the following:
>>
>> RERSOURCE_1: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>> RERSOURCE_2: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>> RERSOURCE_3: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>>
>> USER_1: USER_GROUP_A
>> USER_2: USER_GROUP_A
>>
>> USER_GROUP_A_POLICY: GRANT ACCESS TO USER_GROUP_A
>>
>> I want to create permissions to give only SCOPE_READ access (not
>> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA.
>>
>> If I create a resourced based permission then it will give grant access
>> to
>> both scopes.
>> Unfortunately I cannot create a scope based permission because scope
>> permission does not support resource type. It only supports resource. If
>> I
>> want to use scoped based permission then I have to create permission for
>> every single resource in my resource type.
>>
>> I was wondering if there is a reason that scope based permission does not
>> support resource type?
>>
>> Also anyone has any idea how I can achieve my requirement given the
>> limitations that we have? Is there a way to create a policy that grants
>> access only to a certain scope?
>>
>>
>> Cheers
>>
>> Farzad
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>