Re: [keycloak-user] Keycloak 4.x Fine Grained Authorization - OAuth / UMA - Permissions That Deny Rather Than Grant?

> On Tue, Sep 18, 2018 at 11:29 AM Brian Brooks (US) <mailto:Brian.Brooks@datapath.com> wrote: > > 1. Is there any way to design a keycloak policy for a oauth/uma/bearer token authorization client/resource owner > that efficiently expresses the idea that a user is granted access to most items but denied access to a few? > > Our system manages devices and for some customer systems we have as many as 0.1 million devices. > We'd like the app's keycloak policy to default to granting a user write access to all devices > but deny access to maybe a few dozen. Ideally, the Requesting Party Token (RPT) response would > contain a list of permissions like > > Permission {id=3e633107-2291-4694-9f07-728ea6fa7744, name=All Devices Resource, scopes=[device:grant:write]} > Permission {id=86d95056-7e24-4888-93ed-2afe33199212, name=Device 123 Resource, scopes=[device:deny]} > Permission {id=33333333-3333-3333-3333-333333333333, name=Device 456 Resource, scopes=[device:deny]} On Tuesday, September 18, 2018 5:23 PM Pedro Igor Silva <psilva(a)redhat.com&gt; wrote: Do you mean also returning the resources/scopes that were not granted by the server ?