Pedro Igor: Hello, answers inline. On 12/22/2016 7:21:13 AM, Avinash Kundaliya <avinash(a)avinash.com.np&gt; wrote: Hi, since I got no response to my previous email and i can see some action happening in the mailing list, I will try to forward my question and explain it again. * Can a user update their own custom attributes ? I want to use custom attributes to store data that would help in creating policies for their permissions. From what i could understand from previous discussions, it looks like users cannot, but its not confirmed or mentioned anywhere. Pedro Igor: In general, only admins via Administrator Console. There is an Account Management Page intended for user self-service, you can probably extend themes and provide the attributes you want to update there. See https://github.com/keycloak/keycloak/tree/master/examples/themes. * Related to the question above, is there a defined structure/ pattern to define resource ownership in keycloak, eg. user-id *"xx"* is a manger of resource-id *"yy"* , user-id "*aa*" is a viewer of resource-id "*bb*" and so on and so forth. Pedro Igor: Resources always have an owner. This is different than the role of an user for a particular resource. By default, resources belongs to the resource server itself. But when creating new resources via Protection API you can set the owner to be an user. roles to specific resources? For example if i have a role called as shop_owner how do i map a user with that role to a specific shop (for example). Is this something that keycloak has defined structures for ? How can i achieve such a structure with keycloak and with/without using the keycloak authorization/resource services. Pedro Igor: If the user is the owner of a shop, you probably want to create the resource setting the user as the owner. After that, you need to associate permissions to your resources. For instance, you can use a JS Policy to grant access to the resource based on the owner of a resource. As well, associate other permissions based on other types of policies. If you want an example about how to enforce permissions to a resource based on the owner, you can check the Photoz example application. There we demonstrate how to use Drools for that. But you can also use a JS policy. Some help or push in the right direction would be helpful. Regards, Avinash -------- Forwarded Message -------- Subject: regarding custom attributes and mapping resources to users Date: Tue, 20 Dec 2016 16:14:03 +0545 From: Avinash Kundaliya To: keycloak-user(a)lists.jboss.org Hello Community, I am fairly new to using keycloak and still getting immersed into the authentication and authorization jargons. I have some basic queries that i am curious about. * Regarding the custom attributes for each user (https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/us...). Is this something that a user can edit for themselves or is something for an administrator to manage custom content for the user? Basically, as an administrator can I put information that should be hidden from the user as a custom attribute ? * My second question is more about architecture of applications with authentication and authorization. What are the best practices to map roles to specific resources? For example if i have a role called as shop_owner how do i map a user with that role to a specific shop (for example). Is this something that keycloak has defined structures for ? How can i achieve such a structure with keycloak and with/without using the keycloak authorization/resource services. Looking forward to some constructive discussions and some answers to the basic issues I have. Regards, Avinash _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Yes, you can use Admin Rest API [1].  [1] https://keycloak.gitbooks.io/server-developer-guide/content/topics/admin-.... On 12/30/2016 2:04:03 PM, Avinash Kundaliya <avinash(a)avinash.com.np&gt; wrote: Just thinking about the following scenario: Is it anyhow possible for a user to change his custom attributes without extending the Account Management Page theme? maybe via the API? I hope not, but want to confirm as I couldn't find where the custom attributes were defined in the Keycloak source. Regards, Avinash On 12/22/16 17:18, Pedro Igor wrote: Pedro Igor: Hello, answers inline. On 12/22/2016 7:21:13 AM, Avinash Kundaliya <avinash(a)avinash.com.np&gt; [mailto:avinash@avinash.com.np] wrote: Hi, since I got no response to my previous email and i can see some action happening in the mailing list, I will try to forward my question and explain it again. * Can a user update their own custom attributes ? I want to use custom attributes to store data that would help in creating policies for their permissions. From what i could understand from previous discussions, it looks like users cannot, but its not confirmed or mentioned anywhere. Pedro Igor: In general, only admins via Administrator Console. There is an Account Management Page intended for user self-service, you can probably extend themes and provide the attributes you want to update there. See https://github.com/keycloak/keycloak/tree/master/examples/themes [https://github.com/keycloak/keycloak/tree/master/examples/themes]. * Related to the question above, is there a defined structure/ pattern to define resource ownership in keycloak, eg. user-id *"xx"* is a manger of resource-id *"yy"* , user-id "*aa*" is a viewer of resource-id "*bb*" and so on and so forth. Pedro Igor: Resources always have an owner. This is different than the role of an user for a particular resource. By default, resources belongs to the resource server itself. But when creating new resources via Protection API you can set the owner to be an user. roles to specific resources? For example if i have a role called as shop_owner how do i map a user with that role to a specific shop (for example). Is this something that keycloak has defined structures for ? How can i achieve such a structure with keycloak and with/without using the keycloak authorization/resource services. Pedro Igor: If the user is the owner of a shop, you probably want to create the resource setting the user as the owner. After that, you need to associate permissions to your resources. For instance, you can use a JS Policy to grant access to the resource based on the owner of a resource. As well, associate other permissions based on other types of policies. If you want an example about how to enforce permissions to a resource based on the owner, you can check the Photoz example application. There we demonstrate how to use Drools for that. But you can also use a JS policy. Some help or push in the right direction would be helpful. Regards, Avinash -------- Forwarded Message -------- Subject: regarding custom attributes and mapping resources to users Date: Tue, 20 Dec 2016 16:14:03 +0545 From: Avinash Kundaliya To: keycloak-user(a)lists.jboss.org [mailto:keycloak-user@lists.jboss.org] Hello Community, I am fairly new to using keycloak and still getting immersed into the authentication and authorization jargons. I have some basic queries that i am curious about. * Regarding the custom attributes for each user (https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/us... [https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/us...]). Is this something that a user can edit for themselves or is something for an administrator to manage custom content for the user? Basically, as an administrator can I put information that should be hidden from the user as a custom attribute ? * My second question is more about architecture of applications with authentication and authorization. What are the best practices to map roles to specific resources? For example if i have a role called as shop_owner how do i map a user with that role to a specific shop (for example). Is this something that keycloak has defined structures for ? How can i achieve such a structure with keycloak and with/without using the keycloak authorization/resource services. Looking forward to some constructive discussions and some answers to the basic issues I have. Regards, Avinash _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org [mailto:keycloak-user@lists.jboss.org] https://lists.jboss.org/mailman/listinfo/keycloak-user [https://lists.jboss.org/mailman/listinfo/keycloak-user]