7:19 a.m.
Hello,
I have a very basic question and am curious how to model this via keycloak.
In my application I have some roles. I want to map each role to a set of
permissions so that based on those permissions i can check if the user
has access to a specific action/resource in my application server.
(pretty much how classically RBAC is done)
I am curious if there is a defined pattern/way of modeling such a
behavior in keycloak, or would the best way to do this would be to
define and map permissions (to roles) in the application (i.e outside
keycloak). What is the best practice for such a case?
Regards,
Avinash
7:29 a.m.
You can either use our authorization services (see
https://keycloak.gitbooks.io/authorization-services-guide/content/) to
manage permissions centrally through Keycloak or you can manage it on your
own within the application.
On 9 January 2017 at 14:19, Avinash Kundaliya <avinash(a)avinash.com.np>
wrote:
Hello,
I have a very basic question and am curious how to model this via keycloak.
In my application I have some roles. I want to map each role to a set of
permissions so that based on those permissions i can check if the user
has access to a specific action/resource in my application server.
(pretty much how classically RBAC is done)
I am curious if there is a defined pattern/way of modeling such a
behavior in keycloak, or would the best way to do this would be to
define and map permissions (to roles) in the application (i.e outside
keycloak). What is the best practice for such a case?
Regards,
Avinash
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:44 a.m.
Hi Stian,
Is there an example of how to do this simply, or would one have to
create scopes (which is like a permission), policies (one for each role)
and permissions, that would map the role to a scope ?
Also, possibly a related question, does role-type policy also take in
account roles that a user gets effectively because of a composite role?
If so, the "Evaluate" page always gives me a Deny. Another approach, If
i add the scope to each policy, then it still gives me a Deny (I tried
setting the strategy to Affirmative, still didn't help).
I hope the description isnt abstract, if so I will try to add
screenshots next time.
Regards,
Avinash
On 1/9/17 19:14, Stian Thorgersen wrote:
You can either use our authorization services (see
https://keycloak.gitbooks.io/authorization-services-guide/content/) to
manage permissions centrally through Keycloak or you can manage it on
your own within the application.
On 9 January 2017 at 14:19, Avinash Kundaliya <avinash(a)avinash.com.np
<mailto:avinash@avinash.com.np>> wrote:
Hello,
I have a very basic question and am curious how to model this via
keycloak.
In my application I have some roles. I want to map each role to a
set of
permissions so that based on those permissions i can check if the user
has access to a specific action/resource in my application server.
(pretty much how classically RBAC is done)
I am curious if there is a defined pattern/way of modeling such a
behavior in keycloak, or would the best way to do this would be to
define and map permissions (to roles) in the application (i.e outside
keycloak). What is the best practice for such a case?
Regards,
Avinash
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
7:45 a.m.
Hi Stian,
Thanks for the prompt response, I have probably read through the guide a
number of times, Its helpful but it takes a while (and some struggle) to
probably understand it and implement in practice.
Is there an example of how to do this simply, or would one have to
create scopes (which is like a permission), policies (one for each role)
and permissions, that would map the role to a scope ?
Also, possibly a related question, does role-type policy also take in
account roles that a user gets effectively because of a composite role?
If so, the "Evaluate" page always gives me a Deny. Another approach, If
i add the scope to each policy, then it still gives me a Deny (I tried
setting the strategy to Affirmative, still didn't help).
I hope the description isnt abstract, if so I will try to add
screenshots next time.
Regards,
Avinash
On 1/9/17 19:14, Stian Thorgersen wrote:
You can either use our authorization services (see
https://keycloak.gitbooks.io/authorization-services-guide/content/) to
manage permissions centrally through Keycloak or you can manage it on
your own within the application.
On 9 January 2017 at 14:19, Avinash Kundaliya <avinash(a)avinash.com.np
<mailto:avinash@avinash.com.np>> wrote:
Hello,
I have a very basic question and am curious how to model this via
keycloak.
In my application I have some roles. I want to map each role to a
set of
permissions so that based on those permissions i can check if the user
has access to a specific action/resource in my application server.
(pretty much how classically RBAC is done)
I am curious if there is a defined pattern/way of modeling such a
behavior in keycloak, or would the best way to do this would be to
define and map permissions (to roles) in the application (i.e outside
keycloak). What is the best practice for such a case?
Regards,
Avinash
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
11:33 a.m.
On 1/9/2017 11:46:02 AM, Avinash Kundaliya <avinash(a)avinash.com.np> wrote:
Hi Stian,
Thanks for the prompt response, I have probably read through the guide a
number of times, Its helpful but it takes a while (and some struggle) to
probably understand it and implement in practice.
Is there an example of how to do this simply, or would one have to
create scopes (which is like a permission), policies (one for each role)
and permissions, that would map the role to a scope ?
Pedro Igor: You can create a policy for each role or a single one with the roles you want
to enforce before accessing a resource/scope. It really depends on your requirements.
Also, possibly a related question, does role-type policy also take in
account roles that a user gets effectively because of a composite role?
If so, the "Evaluate" page always gives me a Deny. Another approach, If
i add the scope to each policy, then it still gives me a Deny (I tried
setting the strategy to Affirmative, still didn't help).
Pedro Igor: I think we are not handling composite roles. But I think you can achieve a
similar behavior you create a single policy with all roles that are allowed to access your
protected resource.
Role policies also allow you to mark a specific role as "required" so users must
be granted with all required roles and any of the "non-required" roles you
defined.
If you want to say, for instance, "Roles A and B Can Perform Action C on Resource
D", you can just create:
1) Resource D, Scope C and associated Scope C with Resource D
2) Role Policy for Roles A and B (in this case users with any of these roles are granted)
or separated policies for each role if you need to (you may want to reuse the role policy
for each role to build other permissions or policies)
3) Create a permission that puts together Resource D + Scope C + Policies. Where the
latter is basically the role policies you created.
Does that work for you ?
I hope the description isnt abstract, if so I will try to add
screenshots next time.
Regards,
Avinash
On 1/9/17 19:14, Stian Thorgersen wrote:
You can either use our authorization services (see
https://keycloak.gitbooks.io/authorization-services-guide/content/) to
manage permissions centrally through Keycloak or you can manage it on
your own within the application.
On 9 January 2017 at 14:19, Avinash Kundaliya
> wrote:
Hello,
I have a very basic question and am curious how to model this via
keycloak.
In my application I have some roles. I want to map each role to a
set of
permissions so that based on those permissions i can check if the user
has access to a specific action/resource in my application server.
(pretty much how classically RBAC is done)
I am curious if there is a defined pattern/way of modeling such a
behavior in keycloak, or would the best way to do this would be to
define and map permissions (to roles) in the application (i.e outside
keycloak). What is the best practice for such a case?
Regards,
Avinash
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:04 a.m.
Thanks for thinking through with me. It has been really helpful.
Question Inline
On 1/9/17 23:18, Pedro Igor wrote:
>
> On 1/9/2017 11:46:02 AM, Avinash Kundaliya <avinash(a)avinash.com.np>
> wrote:
>
> Hi Stian,
> Thanks for the prompt response, I have probably read through the guide a
> number of times, Its helpful but it takes a while (and some struggle) to
> probably understand it and implement in practice.
>
> Is there an example of how to do this simply, or would one have to
> create scopes (which is like a permission), policies (one for each role)
> and permissions, that would map the role to a scope ?
*Pedro Igor:* You can create a policy for each role or a single one
with the roles you want to enforce before accessing a resource/scope.
It really depends on your requirements.
>
>
> Also, possibly a related question, does role-type policy also take in
> account roles that a user gets effectively because of a composite role?
> If so, the "Evaluate" page always gives me a Deny. Another approach, If
> i add the scope to each policy, then it still gives me a Deny (I tried
> setting the strategy to Affirmative, still didn't help).
*Pedro Igor:* I think we are not handling composite roles. But I think
you can achieve a similar behavior you create a single policy with all
roles that are allowed to access your protected resource.
Role policies also allow you to mark a specific role as "required" so
users must be granted with all required roles and any of the
"non-required" roles you defined.
If you want to say, for instance, "Roles A and B Can Perform Action C
on Resource D", you can just create:
1) Resource D, Scope C and associated Scope C with Resource D
2) Role Policy for Roles A and B (in this case users with any of these
roles are granted) or separated policies for each role if you need to
(you may want to reuse the role policy for each role to build other
permissions or policies)
3) Create a permission that puts together Resource D + Scope C +
Policies. Where the latter is basically the role policies you created.
Does that work for you ?
*Avinash:* This definitely makes a lot of sense. I
eventually created
one policy for each role and then created permission per scope and added
the roles to it. Now, the next step that i want to achieve is to find
out the scopes that a role can access for a resource. Is there an API
endpoint or a way to list out the scopes for a role.
So, from above example: For the query "What can Role A do on Resource D"
it should return "*Action C, ... *"
>
> I hope the description isnt abstract, if so I will try to add
> screenshots next time.
>
> Regards,
> Avinash
>
>
> On 1/9/17 19:14, Stian Thorgersen wrote:
> > You can either use our authorization services (see
> > https://keycloak.gitbooks.io/authorization-services-guide/content/) to
> > manage permissions centrally through Keycloak or you can manage it on
> > your own within the application.
> >
> > On 9 January 2017 at 14:19, Avinash Kundaliya
> > > wrote:
> >
> > Hello,
> >
> > I have a very basic question and am curious how to model this via
> > keycloak.
> >
> > In my application I have some roles. I want to map each role to a
> > set of
> > permissions so that based on those permissions i can check if the user
> > has access to a specific action/resource in my application server.
> > (pretty much how classically RBAC is done)
> >
> > I am curious if there is a defined pattern/way of modeling such a
> > behavior in keycloak, or would the best way to do this would be to
> > define and map permissions (to roles) in the application (i.e outside
> > keycloak). What is the best practice for such a case?
> >
> > Regards,
> > Avinash
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
12:08 p.m.
Policy evaluation is only performed based on an identity represented by a token. The only
thing you will get is what an specific user can access as a consequence of the roles
granted to the same user.
You can do that via Evaluation Tool though, so you can design and test your policies.
On 1/10/2017 10:04:25 AM, Avinash Kundaliya <avinash(a)avinash.com.np> wrote:
Thanks for thinking through with me. It has been really helpful.
Question Inline
On 1/9/17 23:18, Pedro Igor wrote:
On 1/9/2017 11:46:02 AM, Avinash Kundaliya <avinash(a)avinash.com.np>
[mailto:avinash@avinash.com.np] wrote:
Hi Stian,
Thanks for the prompt response, I have probably read through the guide a
number of times, Its helpful but it takes a while (and some struggle) to
probably understand it and implement in practice.
Is there an example of how to do this simply, or would one have to
create scopes (which is like a permission), policies (one for each role)
and permissions, that would map the role to a scope ?
Pedro Igor: You can create a policy for each role or a single one with the roles you want
to enforce before accessing a resource/scope. It really depends on your requirements.
Also, possibly a related question, does role-type policy also take in
account roles that a user gets effectively because of a composite role?
If so, the "Evaluate" page always gives me a Deny. Another approach, If
i add the scope to each policy, then it still gives me a Deny (I tried
setting the strategy to Affirmative, still didn't help).
Pedro Igor: I think we are not handling composite roles. But I think you can achieve a
similar behavior you create a single policy with all roles that are allowed to access your
protected resource.
Role policies also allow you to mark a specific role as "required" so users must
be granted with all required roles and any of the "non-required" roles you
defined.
If you want to say, for instance, "Roles A and B Can Perform Action C on Resource
D", you can just create:
1) Resource D, Scope C and associated Scope C with Resource D
2) Role Policy for Roles A and B (in this case users with any of these roles are granted)
or separated policies for each role if you need to (you may want to reuse the role policy
for each role to build other permissions or policies)
3) Create a permission that puts together Resource D + Scope C + Policies. Where the
latter is basically the role policies you created.
Does that work for you ?
Avinash: This definitely makes a lot of sense. I eventually created one policy for each
role and then created permission per scope and added the roles to it. Now, the next step
that i want to achieve is to find out the scopes that a role can access for a resource. Is
there an API endpoint or a way to list out the scopes for a role.
So, from above example: For the query "What can Role A do on Resource D" it
should return "Action C, ... "
I hope the description isnt abstract, if so I will try to add
screenshots next time.
Regards,
Avinash
On 1/9/17 19:14, Stian Thorgersen wrote:
You can either use our authorization services (see
https://keycloak.gitbooks.io/authorization-services-guide/content/
[https://keycloak.gitbooks.io/authorization-services-guide/content/]) to
manage permissions centrally through Keycloak or you can manage it on
your own within the application.
On 9 January 2017 at 14:19, Avinash Kundaliya
> wrote:
Hello,
I have a very basic question and am curious how to model this via
keycloak.
In my application I have some roles. I want to map each role to a
set of
permissions so that based on those permissions i can check if the user
has access to a specific action/resource in my application server.
(pretty much how classically RBAC is done)
I am curious if there is a defined pattern/way of modeling such a
behavior in keycloak, or would the best way to do this would be to
define and map permissions (to roles) in the application (i.e outside
keycloak). What is the best practice for such a case?
Regards,
Avinash
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org [mailto:keycloak-user@lists.jboss.org]
https://lists.jboss.org/mailman/listinfo/keycloak-user
[https://lists.jboss.org/mailman/listinfo/keycloak-user]
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org [mailto:keycloak-user@lists.jboss.org]
https://lists.jboss.org/mailman/listinfo/keycloak-user
[https://lists.jboss.org/mailman/listinfo/keycloak-user]
2902
days inactive
2903
days old
6 comments
3 participants
participants (3)
-
Avinash Kundaliya -
Pedro Igor -
Stian Thorgersen