7:26 a.m.
Each user has one or more resource e.g. 'account'
Each user is assigned one or more agents. (agent is different user in the system with
role agent)
I have added them in user attributes e.g let us say there is user_a who has account
resource
there are users with agent roles say 'agent_a', 'agent_b',
'agent_c'
In user_a is attribute I have added attribute
allowed_agents = [ 'agent_a' ,'agent_b']
in agent_a & agent_b have attibutes
allowed_users = ['user_a'] Now in policy evaluation I want to ensure when
agent_a & agent_b try to access resource owned by user_a they are allowed while
agent_c is not allowed
how do I access resource owners attributes and or identity ownes attributes
I want to write a evaluation like something like this
is it possible to get $permission.resource.owner.attributes["allowed_agent"]to
return
['agent_a','agent_b']or $identity.attributes['allowed_users'] to
return ['user_a'] so that I can evaluate the match
something like beowrule "Authorize Resource Owner"
dialect "mvel"
when
$evaluation : Evaluation(
$identity: context.identity,
$permission: permission,
$permission.resource.owner.attribute['allowed_agents'].indexOf($identity.id)
)
then
$evaluation.grant();
end
9:28 a.m.
Hello Suresh,
I've experimented a bit with JavaScript policy, I hope with Drools things will be
similar.
You can obtain a user's custom attributes using the following expression:
var attrs = $evaluation.realm.getUserAttributes(id);
where id is either $evaluation.context.identity.id (the user being authorized) or
$evaluation.permission.resource.owner (UMA resource owner).
Hope this helps,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Sat, 2019-01-05 at 13:26 +0000, Suresh Mali wrote:
Each user has one or more resource e.g. 'account'
Each user is assigned one or more agents. (agent is different user in the system with
role agent)
I have added them in user attributes e.g let us say there is user_a who has account
resource
there are users with agent roles say 'agent_a', 'agent_b',
'agent_c'
In user_a is attribute I have added attribute
allowed_agents = [ 'agent_a' ,'agent_b']
in agent_a & agent_b have attibutes
allowed_users = ['user_a'] Now in policy evaluation I want to ensure when
agent_a & agent_b try to access resource owned by user_a they are allowed while
agent_c is not allowed
how do I access resource owners attributes and or identity ownes attributes
I want to write a evaluation like something like this
is it possible to get $permission.resource.owner.attributes["allowed_agent"]to
return
['agent_a','agent_b']or $identity.attributes['allowed_users'] to
return ['user_a'] so that I can evaluate the match
something like beowrule "Authorize Resource Owner"
dialect "mvel"
when
$evaluation : Evaluation(
$identity: context.identity,
$permission: permission,
$permission.resource.owner.attribute['allowed_agents'].indexOf($identity.id)
)
then
$evaluation.grant();
end
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2505
days inactive
2505
days old
1 comments
2 participants
participants (2)
-
Dmitry Telegin -
Suresh Mali