[keycloak-user] Fwd: Access Control for an IoT environment
---------- Forwarded message ----------
From: Mehdi Sheikhalishahi <mehdi.alishahi(a)gmail.com>
Date: Mon, Mar 13, 2017 at 6:38 PM
Subject: Access Control for an IoT environment
To: keycloak-user <keycloak-user(a)lists.jboss.org>
Hi,
I'd like to validate my solution based on KeyCloak for securing access to
sensors.
Our environment consists of a dashboard, a sensors service (a database of
sensors), and KeyCloak. We need to display the list of sensors associated
to the authenticated user in the dashboard, and implement Access Control to
sensors. A user can have different accesses to different sensors. For
simplicity, we define read, and write access types.
Our solution is to use User Attributes; for that we create two user
attributes for each user: one for read, and one for write. And the value of
each attribute will be the list of sensors. This list states that the user
has this type of access to this list of sensors. Hence, this is a database
that can be used for defining policies.
For presentation, we simply can read these attributes and present them in
the Dashboard with appropriate columns to present read and write accesses.
We need to implement another operation that is called evaluation of
authorization requests. That is when a user sends a request to access a
sensor for an access type (read or write), this request should be evaluated
(validated) by KeyCloak. Here is the place in which KeyCloak policies come
into the place. For that, we need to write a policy (an attributed based
policy, or a mix kind of policy, such as JavaScript?) to evaluate if this
user is authorized to perform such an operation. The output of this
operation is allow or deny. If the evaluation results is allow, then the
request will be sent to the database of sensors, and the result of this
operation will be returned back to the Dashboard for the user.
My questions are as the following:
- Is this solution approach the right one?
- How we provide the access request for KeyCloak? So policy, we will have
all inputs that we need for evaluation, that is user information, requested
sensor, and requested access type?
Thanks,
Mehdi