Re: [keycloak-user] Policy Evaluation Rules

On 5 Feb 2019, at 15:12, Pedro Igor Silva <psilva(a)redhat.com&gt; wrote: It depends on how you are sending the authorization requests. If you request permissions to a resource, permissions associated with the resource and any associated scope will be evaluated. However, if you only send a authorization request for a particular scope only permissions (and associated policies) associated with that scope are evaluated. On Tue, Feb 5, 2019 at 7:19 AM Alexey Titorenko <titorenko(a)dtg.technology&gt; wrote: Hello guys! Could you please help me with understanding how policies are evaluated? I have REST service with several operations. Each of them is protected by corresponding scope (create, view, update, delete, list). For each of these scopes I defined scope based permission which controls access to its scope. All of the permissions have just one ‘Default’ policy, which grants access to any user. An ‘delete’ permissions in addition has JavaScript-based policy which checks if caller is author of the document. So, only one permission is configured to evaluate ‘Author’ policy. I expect, that ‘Author’ policy will only be evaluated, when ‘delete’ operation on service is called. But I see, that it is evaluated each time ANY operation is called. So, if all policies are evaluated for each call, then what is a purpose of specifying policies in permissions? What is a right way to use policies then? Thank you, Alexey. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>