On Sat, Jun 15, 2019 at 6:07 AM Farzad Panahi <farzad.panahi(a)gmail.com>
wrote:
Thanks Pedro. I will check it out. Let us know here when you create
that
UI JIRA ticket.
On Fri, Jun 14, 2019 at 6:44 AM Pedro Igor Silva <psilva(a)redhat.com>
wrote:
> Yeah, I do. I've been thinking about this for a while and I think it
> would make permission mgmt more easy without too many choices on how to do
> it. It should be a quite trivial change as both share the same model. More
> a UI refactoring.
>
> Will create a JIRA for it.
>
> FYI, I've just pushed some changes for allowing people to configure a
> global decision strategy so that you change how permissions are evaluated.
> Please, take a look at
>
https://github.com/keycloak/keycloak-documentation/pull/680. Maybe it
> can also help your use case.
>
> On Thu, Jun 13, 2019 at 3:56 PM Farzad Panahi <farzad.panahi(a)gmail.com>
> wrote:
>
>> Thanks Pedro. I will try this out.
>>
>> BTW, do you think merging the resource-based and scope-based permissions
>> would be in your roadmap for anytime soon?
>>
>> On Mon, Jun 10, 2019 at 2:17 PM Pedro Igor Silva <psilva(a)redhat.com>
>> wrote:
>>
>>> There is a limitation here in how resource types are used. You could
>>> achieve that if RESOURCE_1, RESOURCE_2 and RESOURCE_3 were "resource
>>> instance", with the owner other than the resource server. But this does
not
>>> seem to be your case.
>>>
>>> There is one way to achieve this by using a JS Policy. Still not ideal,
>>> but something like this:
>>>
>>> ====
>>> var permission = $evaluation.getPermission();
>>> var scopes = permission.getScopes();
>>>
>>> for (i = 0; i < scopes.length; i++) {
>>> var scope = scopes.get(i);
>>>
>>> if (scope.getName().equals("read")) {
>>> if (// check here if the user is member of a group) {
>>> permission.getScopes().remove(scope);
>>> }
>>> }
>>> }
>>>
>>> // grant or deny the permission
>>> ====
>>>
>>> To check if a user is a member of a group, please take a look at
>>>
https://www.keycloak.org/docs/latest/authorization_services/index.html#ch...
>>> .
>>>
>>> On Mon, Jun 10, 2019 at 4:44 PM Farzad Panahi
<farzad.panahi(a)gmail.com>
>>> wrote:
>>>
>>>> Hi Pedro,
>>>>
>>>> If I create a scope-based permission without specifying the resource,
>>>> then that permission will apply to all the resources.
>>>> For instance in the example I mentioned in my previous email:
>>>>
>>>> I want to create permissions to give only SCOPE_READ access (not
>>>> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA.
>>>>
>>>> If I grant a permission for SCOPE_READ without specifying the resource
>>>> then basically I am granting SCOPE_READ to all the resources which is
not
>>>> what I want. I want to only give SCOPE_READ to a specific set of
resources.
>>>>
>>>> I think as you mentioned merging resource-based and scope-based
>>>> permissions is a good idea and would work better. But now that we do not
>>>> have this feature is there any other way to accomplish this somehow
using
>>>> policies or something else?
>>>>
>>>> Cheers
>>>>
>>>> Farzad
>>>>
>>>> On Mon, Jun 10, 2019 at 5:22 AM Pedro Igor Silva
<psilva(a)redhat.com>
>>>> wrote:
>>>>
>>>>> You can create scope-based permission for a specific scope (without
>>>>> set a resource). Would that help?
>>>>>
>>>>> I think we could also think about merging resource-based permission
>>>>> into scope-based permission so that we only have a single type of
>>>>> permission.
>>>>>
>>>>> Regards.
>>>>> Pedro Igor
>>>>>
>>>>> On Fri, Jun 7, 2019 at 6:09 PM Farzad Panahi
<farzad.panahi(a)gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have a client authorization set-up like the following:
>>>>>>
>>>>>> RERSOURCE_1: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>>>>>> RERSOURCE_2: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>>>>>> RERSOURCE_3: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>>>>>>
>>>>>> USER_1: USER_GROUP_A
>>>>>> USER_2: USER_GROUP_A
>>>>>>
>>>>>> USER_GROUP_A_POLICY: GRANT ACCESS TO USER_GROUP_A
>>>>>>
>>>>>> I want to create permissions to give only SCOPE_READ access (not
>>>>>> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA.
>>>>>>
>>>>>> If I create a resourced based permission then it will give grant
>>>>>> access to
>>>>>> both scopes.
>>>>>> Unfortunately I cannot create a scope based permission because
scope
>>>>>> permission does not support resource type. It only supports
>>>>>> resource. If I
>>>>>> want to use scoped based permission then I have to create
permission
>>>>>> for
>>>>>> every single resource in my resource type.
>>>>>>
>>>>>> I was wondering if there is a reason that scope based permission
>>>>>> does not
>>>>>> support resource type?
>>>>>>
>>>>>> Also anyone has any idea how I can achieve my requirement given
the
>>>>>> limitations that we have? Is there a way to create a policy that
>>>>>> grants
>>>>>> access only to a certain scope?
>>>>>>
>>>>>>
>>>>>> Cheers
>>>>>>
>>>>>> Farzad
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>