8:56 a.m.
Ok thank you, yes I have seen the Rest API
hadn’t really thought I needed to use the api for this. What you thinking
On 24 Oct 2018, at 3:14 PM, Pedro Igor Silva
<psilva(a)redhat.com> wrote:
Yeah, I think so. I need to document this ... But we also expose endpoints in Admin REST
API which you could use to manage these permissions/policies from your app.
> On Wed, Oct 24, 2018 at 10:01 AM Melissa Palmer <melissa.palmer(a)gmail.com>
wrote:
> Thanks Pedro, I will take a closer look.
> Yes I’ll put the work flow in the app. But we do want to manage the permissions in
KEy,
>
> I tried to align with the QuickStart ti explain. But it’s not necessarily on resource
that I own with I want to do this. For example it could be against adding products in and
ecommerce app, or transactions for a company
>
> It sounds like I should rather use the non
> UMA example to try this against. Would that be better?
>
> Thanks
> Melissa
>
>
>> On 24 Oct 2018, at 2:44 PM, Pedro Igor Silva <psilva(a)redhat.com> wrote:
>>
>> Hi Melissa,
>>
>> I don't think this is very different than what we have in the quickstart you
mentioned.
>>
>>> On Wed, Oct 24, 2018 at 9:00 AM Melissa Palmer
<melissa.palmer(a)gmail.com> wrote:
>>> Hi,
>>>
>>> I am trying to do something similar to the following:
>>> - have a resource (say album) in app-authz-uma-photoz quickstart that
>>> includes a status attribute against it.
>>> - status such as: CREATED, APPROVED, DECLINED,
>>
>> You probably noticed that resources in Keycloak have attributes, so you could set
a "status" accordingly. You should be able to write JS policies that can access
any attribute associated with a resource.
>>
>>> - a person can then be given a role that allows for permissions (via a
>>> role) such as
>>>
>>> - album:create
>>> - album:approve
>>> - album:decline
>>
>> If you have different authorization requirements for each scope, you can create a
scope-based permission for each scope. Otherwise, a single scope-permission managing
access for all of them.
>>
>>>
>>> - BUT a person is not allowed to approve any albums they created themselves
>>
>> I would create a scope-permission specific for album:approve and associate it
with a JS policy that deny access to the the resource owner (considering the owner is the
person that created the resource).
>>
>>>
>>> Is there a keycloak-quickstarts/example I can start from?
>>> Or a recommended way I should attempt to tackle this?
>>
>> It is worthy to highlight that when using UMA and, specially, the "My
Resources" page in the Account Service, resource owners are always allowed to manage
their resources. It seems you are more interested in a worflow that does not really fit
this functionality in particular. I think you would need to manage this workflow from your
app based on the permissions you have in Keycloak.
>>
>>>
>>> Thank You in advance,
>>> Melissa
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user