Re: [keycloak-user] How to implement this using Keycloak

Hi Travis, You are not hijacking anything. And I'm also Silva anyways :) It is pretty much related. Although different use cases. I need to get more input from Rong before going further. Regarding your use case, the answer is yes. I think you can address most of these requirements with our authorization services. For instance, projects are *resources* in Keycloak. You may define a resource that represents a set of one or more resources or have resource instances. In this case, resources instances inherit all permissions. You can also override permissions on a resource-basis as well. Eg.: define specific policies for a scope associated with a resource. Here resources can be you projects. You application, which is acting as a resource server, is also allowed to manage their own resources in Keycloak using the Protection API. Which basically provides an API to CRUD resources + other things. Scopes can be actions that PM, PMOs, etc, can perform on your resources. Here, you can also specify permissions for each scope individually. Both resources and scopes are associated with permissions, which define the authorization policies that should be applied in order to GRANT or DENY access. For last, policies represent the conditions that you actually want to enforce. We have a few policy providers that allows you to use ABAC, RBAC, Javascript, JBoss Rules/Drools, Time constraints, Users, etc. The idea is have introduce more in the future. Eg.: XACML, Group-based, etc. There is also an evaluation tool that you can use to simulate authorization requests and check how your permissions and policies are being evaluated. Useful when designing your policies, testing or trying to figure out issues. Right now, I'm working on a few improvements. If you want to get latest changes (just sent a PR now), please check both upstream doc and code. Regards. Pedro Igor ----- Original Message ----- From: "Travis De Silva" <traviskds(a)gmail.com&gt; To: "Pedro Igor Silva" <psilva(a)redhat.com&gt;, "Rong Sang (CL-ATL)" <rsang(a)carelogistics.com&gt; Cc: keycloak-user(a)lists.jboss.org Sent: Friday, July 29, 2016 9:37:02 PM Subject: Re: [keycloak-user] How to implement this using Keycloak Hi Pedro, I have just started looking at the Keycloak Authorization Services that was introduced in 2.0.0.Final. I too have a similar use case. For example, we have a project management system where projects belong to a project manager. A project manager can have more than one project. Each project manager has access to only their own projects. Project Managers in turn report to Portfolio Managers. So a Portfolio Manager should be able to access all his/her project manager's projects. At the moment, how we handle this is by having a seperate mapping within the application and since we build/own the applicaiton, we filter out the JPA query results based on the above rules.BTW, our services are REST based (i.e. JAX-RS) KeyCloak is essentially used for Authentication via a federated LDAP/AD provider and we use Keycloak roles to protect the services/front end screen options. Are you saying that we can filter the data outside the application via Keycloak Authorization Services? Maybe I need to start looking at the demo examples a bit more. I believe Rong's use case is also the same so hope I have not hijacked this thread. Cheers Travis On Sat, 30 Jul 2016 at 09:51 Pedro Igor Silva <psilva(a)redhat.com&gt; wrote: