Hi,
What if you push user's primary store as a claim to your policies and use
this information to decide the scopes he/she has access to?
It could also be useful to avoid creating a resource for each store, so you
could use a single resource and corresponding permission that matches the
store the user is accessing and his primary store (both sent as claims to
your policies).
Regards.
Pedro Igor
On Thu, Dec 27, 2018 at 9:55 PM Warren, Scott <swarren(a)sumglobal.com> wrote:
Hi,
I need some input on the best way to solve authorization for a retail chain
scenario. Here's the scenario:
A retailer has 10,000 stores and 30,000 users
While each user has a primary store, they can work in other stores in their
region
At his/her primary store UserA (clerk) has the following scopes: POS,
DailyCloseout
For secondary stores, a UserA has only the POS scope
While there are many more scopes, and user roles, the problem to solve is
this multi-tiered permissions structure. UserA's permissions depend on the
store context.
I've set up stores as resources (of type "store"), each resource has a
storeNbr attribute
I've set up scopes of POS, DailyCloseout, SalesReports, etc.
I'm struggling with a clean way to tie a user to his/her "storeX" : [
"scopeA", "scopeB", "scopeC"]. I put this structure in as a
user attribute,
and after mapping it, got it working with a javascript policy
but that's a maintenance nightmare at best.
I can set up roles with names like <storeNbr>.<scopeA>. It's better than
the user attribute route, but still feels like a hack.
I'm guessing I could write a Drools policy that could, using the identity
from the context, read from a database that contains this structure. BUT
this provider is in tech preview / not supported, so I'm not excited about
this route.
Lastly, I guess I could write a custom policy provider.
These last two require me to maintain a separate database (and app to
maintain it), so I'm not thrilled with either of them.
So, what have I missed? Is there an elegant way to solve this?
Thanks for your help!
Scott
--
Scott G. Warren
SUM Global Technology
swarren(a)sumglobal.com
678.469.3455
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user