Re: [keycloak-user] Fwd: regarding custom attributes and mapping resources to users

*Pedro Igor:* Hello, answers inline. > On 12/22/2016 7:21:13 AM, Avinash Kundaliya <avinash(a)avinash.com.np&gt; > wrote: > > Hi, > since I got no response to my previous email and i can see some action > happening in the mailing list, I will try to forward my question and > explain it again. > > * Can a user update their own custom attributes ? I want to use custom > attributes to store data that would help in creating policies for > their permissions. From what i could understand from previous > discussions, it looks like users cannot, but its not confirmed or > mentioned anywhere. *Pedro Igor:* In general, only admins via Administrator Console. There is an Account Management Page intended for user self-service, you can probably extend themes and provide the attributes you want to update there. See https://github.com/keycloak/keycloak/tree/master/examples/themes. > > > * Related to the question above, is there a defined structure/ pattern > to define resource ownership in keycloak, eg. user-id *"xx"* is a > manger of resource-id *"yy"* , user-id "*aa*" is a viewer of > resource-id "*bb*" and so on and so forth. *Pedro Igor:* Resources always have an owner. This is different than the role of an user for a particular resource. By default, resources belongs to the resource server itself. But when creating new resources via Protection API you can set the owner to be an user. > > > From my question last time, What are the best practices to map > roles to specific resources? For example if i have a role called as > shop_owner how do i map a user with that role to a specific shop > (for example). Is this something that keycloak has defined > structures for ? How can i achieve such a structure with keycloak > and with/without using the keycloak authorization/resource services. *Pedro Igor:* If the user is the owner of a shop, you probably want to create the resource setting the user as the owner. After that, you need to associate permissions to your resources. For instance, you can use a JS Policy to grant access to the resource based on the owner of a resource. As well, associate other permissions based on other types of policies. If you want an example about how to enforce permissions to a resource based on the owner, you can check the Photoz example application. There we demonstrate how to use Drools for that. But you can also use a JS policy. > > Some help or push in the right direction would be helpful. > > Regards, > Avinash > > > -------- Forwarded Message -------- > Subject: regarding custom attributes and mapping resources to users > Date: Tue, 20 Dec 2016 16:14:03 +0545 > From: Avinash Kundaliya > To: keycloak-user(a)lists.jboss.org > > > > Hello Community, > > I am fairly new to using keycloak and still getting immersed into the > authentication and authorization jargons. I have some basic queries that > i am curious about. > > * Regarding the custom attributes for each user > (https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/us...). > > Is this something that a user can edit for themselves or is > something for an administrator to manage custom content for the > user? Basically, as an administrator can I put information that > should be hidden from the user as a custom attribute ? > * My second question is more about architecture of applications with > authentication and authorization. What are the best practices to map > roles to specific resources? For example if i have a role called as > shop_owner how do i map a user with that role to a specific shop > (for example). Is this something that keycloak has defined > structures for ? How can i achieve such a structure with keycloak > and with/without using the keycloak authorization/resource services. > > Looking forward to some constructive discussions and some answers to the > basic issues I have. > > Regards, > Avinash > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user