Great. Thanks Pedro. Let me give this a go. The authorization was the
missing piece in KeyCloak and if this can fill in that gap, that's great.
On Sat, 30 Jul 2016 at 11:27 Pedro Igor Silva <psilva(a)redhat.com> wrote:
Hi Travis,
You are not hijacking anything. And I'm also Silva anyways :)
It is pretty much related. Although different use cases. I need to get
more input from Rong before going further.
Regarding your use case, the answer is yes. I think you can address
most of these requirements with our authorization services. For instance,
projects are *resources* in Keycloak. You may define a resource that
represents a set of one or more resources or have resource instances. In
this case, resources instances inherit all permissions. You can also
override permissions on a resource-basis as well. Eg.: define specific
policies for a scope associated with a resource.
Here resources can be you projects. You application, which is acting
as a resource server, is also allowed to manage their own resources in
Keycloak using the Protection API. Which basically provides an API to CRUD
resources + other things.
Scopes can be actions that PM, PMOs, etc, can perform on your
resources. Here, you can also specify permissions for each scope
individually.
Both resources and scopes are associated with permissions, which
define the authorization policies that should be applied in order to GRANT
or DENY access. For last, policies represent the conditions that you
actually want to enforce. We have a few policy providers that allows you to
use ABAC, RBAC, Javascript, JBoss Rules/Drools, Time constraints, Users,
etc. The idea is have introduce more in the future. Eg.: XACML,
Group-based, etc.
There is also an evaluation tool that you can use to simulate
authorization requests and check how your permissions and policies are
being evaluated. Useful when designing your policies, testing or trying to
figure out issues.
Right now, I'm working on a few improvements. If you want to get
latest changes (just sent a PR now), please check both upstream doc and
code.
Regards.
Pedro Igor
----- Original Message -----
From: "Travis De Silva" <traviskds(a)gmail.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>, "Rong Sang
(CL-ATL)" <
rsang(a)carelogistics.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Friday, July 29, 2016 9:37:02 PM
Subject: Re: [keycloak-user] How to implement this using Keycloak
Hi Pedro,
I have just started looking at the Keycloak Authorization Services that was
introduced in 2.0.0.Final.
I too have a similar use case. For example, we have a project management
system where projects belong to a project manager. A project manager can
have more than one project. Each project manager has access to only their
own projects.
Project Managers in turn report to Portfolio Managers. So a Portfolio
Manager should be able to access all his/her project manager's projects.
At the moment, how we handle this is by having a seperate mapping within
the application and since we build/own the applicaiton, we filter out the
JPA query results based on the above rules.BTW, our services are REST based
(i.e. JAX-RS) KeyCloak is essentially used for Authentication via a
federated LDAP/AD provider and we use Keycloak roles to protect the
services/front end screen options.
Are you saying that we can filter the data outside the application via
Keycloak
Authorization Services? Maybe I need to start looking at the demo examples
a bit more.
I believe Rong's use case is also the same so hope I have not hijacked this
thread.
Cheers
Travis
On Sat, 30 Jul 2016 at 09:51 Pedro Igor Silva <psilva(a)redhat.com> wrote:
> Hi Rong,
>
> Can you provide more details about your use case ? For instance:
>
> * Are you the service owner ?
> * Is your service using a REST-style ? How the API looks like ?
> * Is your service already protected using a bearer token ?
> * How are you representing the user's unit ? Realm, Group, role
> or just a user claim/attribute ?
> * What is behind: "Users should not have the access to patients
> in a unit that they are not authorized". What "not authorized"
really
means
> ? What kinds of policies you want to apply ?
>
> From what you described, it seems that you can achieve what you want
> with different approaches. It all depends on what you really need and how
> fine-grained you want to be. For instance, units can be represented as
> groups in Keycloak. You can enforce group membership in your application
by
> introspecting the bearer token (issued by a Keycloak server to some
> client). The same logic applies if you are using roles or attributes to
> represent units.
>
> In 2.0.0.Final, we have introduced Keycloak Authorization Services.
> This one is related with externalized and fine-grained authorization,
which
> gives you great flexibility to define, manage, deploy and enforce
> authorization polices to your application and organization. Indeed, one
of
> the protocols we are supporting (not fully, yet), UMA, is pretty much
based
> on several healthcare use cases. For instance, you can manage the
policies
> that apply to patient records in Keycloak and also let Keycloak enforce
> these policies to requests sent to your application. In this case, you
can
> define not only a "from unit have access" policy, but also apply even
more
> fine-grained policies to your service using the different policy
providers
> (ABAC and Context-based, RBAC, Time-based, Rules-based, User-based, more
to
> come...) we provide. We are still missing some very nice parts of UMA
> though, as currently we are focusing on API security use cases. But I
hope
> to get those missing parts implemented soon.
>
> Regards.
> Pedro Igor
>
>
> ----- Original Message -----
> From: "Rong Sang (CL-ATL)" <rsang(a)carelogistics.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Friday, July 29, 2016 5:23:20 PM
> Subject: [keycloak-user] How to implement this using Keycloak
>
>
>
> Hi all,
>
>
>
> I’m doing a POC using Keycloak. The normal authentication/authorization
> features work well, but I have the following requirement that cannot
find a
> straightforward solution for. I hope some security experts in the mailing
> list can point me to the right direction.
>
>
>
> Here is the requirement. A hospital has multiple units. Users should not
> have the access to patients in a unit that they are not authorized. I
have
> one service that returns a list of patients across units. What’s the best
> way to set up authorization for this service?
>
>
>
> As I said earlier, I cannot find a feature for me to implement this. Any
> idea is greatly appreciated.
>
>
>
> Thanks,
>
>
>
> Rong
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user