Generally Yes. First of all carefully study Authorization Docs. According to you case: /my/entity/{entity_id} - this is your resource and you will have to define it in keycloak Any access to resources is based on permissions of user. (In other words KC adapters will check whether user has or hasn't permission to specified resource). So the main question is how user will acquire his permissions to resources. This could be achieved via policies, so in you case there could be a policy that checks whether user in group1, and if so grant him permission to read (HTTP_GET) resource. Take a look to https://keycloak.gitbooks.io/documentation/authorization_ services/index.html (it takes from me reasonable amount of time and experiments to "get the picture", so don't be hurry) You should also check out authz examples from keycloak repo. If you will try to use Spring Security adapter read this thread http://lists.jboss.org/pipermail/keycloak-user/2017-March/010107.html about some issues that i faced with this adapter and suitable solutions. On 13.04.2017 17:25, Antoine Carton wrote: > Hello, > > Is there a way to manage fine grained authorizations with Keycloak like in > the following scenario: > > - A user user1 belongs to a group group1 > - group1 has READ access to the REST path: GET /my/entity/{entity_id} > - group1 has not WRITE access to this path: POST /my/entity/{entity_id} > > This means that all users of that group can only READ at that path, > whatever the {entity_id} is. > > The question is: > Is it possible to allow user1 ONLY of group1, to have WRITE access to a > specific entity_id. > > The purpose is to use the Spring Boot/Spring Security Adapter and replace > what Spring security does with @PreAuthorize annotation for example. > > Thank you for your help, > > Best regards > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

On Fri, Apr 14, 2017 at 3:15 AM, Ilya Korol <llivezking(a)gmail.com <mailto:llivezking@gmail.com>> wrote: Take a look to https://keycloak.gitbooks.io/documentation/authorization_services/index.html <https://keycloak.gitbooks.io/documentation/authorization_services/index.h... (it takes from me reasonable amount of time and experiments to "get the picture", so don't be hurry) What do you think we can improve in docs to make it more clear and easy to follow ?