1:54 p.m.
Classification: INTERNAL
Hello,
I've been looking at all the Authz examples with 2.1.0 CR1, and I've been trying
to fit/model them for my application.
Let's say there's a feature in an application to process loan applications.
Possible actions on a loan application are to view, edit, approve or reject them. However,
users can take specific actions on applications based on the geographical zone in which
requests are raised.
For e.g.
User A can view applications across all Zones, but approve or reject applications only if
they are from Zone A.
User B can only view applications from Zone B, and cannot do anything else.
User C can do all actions for all Zones.
In the authorization tab, Loan Application is created as a resource, with scopes created
for each action (view/edit/approve/reject).
Scope based Permissions are created for each scope, and are attached to a policy. Now the
policy is where I'd to implement the check on the zone.
I could create each Zone as a group or as a client role. I chose to create a client role
for each Zone.
Now, if user A logs in to the application, I have a screen where they can search for
applications to view/process. User A should get to see a list of all applications, since
he has view access to all, but only process
When I request for an authorization through the entitlement API, the response tells me
that Zone A and Zone B are the client roles, and view and approve and reject are allowed
scopes, but does *not* say that Zone B scope is only view, and Zone A scopes are view,
approve and reject. The response is a list of client roles and scopes (with resources),
but does not link the client role to a resource-scope combination. I couldn't find a
way to make individual requests (like tell me what scopes are allowed for this resource,
for this particular client role/group?)
As a result, I cannot use the idea of creating zones as either client roles or groups.
How then do I model this in KeyCloak? Thank you for reading the long example, and looking
forward to a response!
Regards, Ushanas.
This message is for the named person's use only. It may contain confidential,
proprietary or legally privileged information. No confidentiality or privilege is waived
or lost by any mis-transmission. If you receive this message in error, please immediately
delete it and all copies of it from your system, destroy any hard copies of it and notify
the sender. You must not, directly or indirectly, use, disclose, distribute, print, or
copy any part of this message if you are not the intended recipient. Viteos Capital Market
Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail
communications through its networks. Any views expressed in this message are those of the
individual sender, except where the message states otherwise and the sender is authorized
to state them to be the views of any such entity