7:41 p.m.
Hello,
Is there a *group policy *that we can use for authorization? This way we can
simply add new user to the group that we have created and the user can
automatically gain access to the resource.
Right now we have to create policy for every single new user and assign to
the resource.
Thanks,
R
--
View this message in context:
http://keycloak-user.88327.x6.nabble.com/Group-policy-for-authorization-t...
Sent from the keycloak-user mailing list archive at Nabble.com.
9:16 a.m.
Hi R,
you can use a Group Mapper to add the group to the access token and then create a
JavaScript Policy that checks the group membership.
E.g. when using 'group' as 'Token Claim Name' property of the group
mapper
var identity = $evaluation.getContext().getIdentity();
var attributes = identity.getAttributes();
var n = attributes.getValue('group').size();
for (i = 0; i < n; i++) {
var group = attributes.getValue('group').asString(i);
if (group == "name of group needed to acces the resource") {
$evaluation.grant();
}
}
Regards
Bettina
-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
Im Auftrag von rafterjiang
Gesendet: Dienstag, 13. Juni 2017 19:42
An: keycloak-user(a)lists.jboss.org
Betreff: [keycloak-user] Group policy for authorization.
Hello,
Is there a *group policy *that we can use for authorization? This way we can
simply add new user to the group that we have created and the user can
automatically gain access to the resource.
Right now we have to create policy for every single new user and assign to
the resource.
Thanks,
R
--
View this message in context:
http://keycloak-user.88327.x6.nabble.com/Group-policy-for-authorization-t...
Sent from the keycloak-user mailing list archive at Nabble.com.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:57 p.m.
Addition:
A group policy will be added to keycloak: https://issues.jboss.org/browse/KEYCLOAK-3168
-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
Im Auftrag von Hübner, Bettina
Gesendet: Mittwoch, 14. Juni 2017 09:16
An: 'rafterjiang'
Cc: 'keycloak-user(a)lists.jboss.org'
Betreff: Re: [keycloak-user] Group policy for authorization.
Hi R,
you can use a Group Mapper to add the group to the access token and then create a
JavaScript Policy that checks the group membership.
E.g. when using 'group' as 'Token Claim Name' property of the group
mapper
var identity = $evaluation.getContext().getIdentity();
var attributes = identity.getAttributes();
var n = attributes.getValue('group').size();
for (i = 0; i < n; i++) {
var group = attributes.getValue('group').asString(i);
if (group == "name of group needed to acces the resource") {
$evaluation.grant();
}
}
Regards
Bettina
-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
Im Auftrag von rafterjiang
Gesendet: Dienstag, 13. Juni 2017 19:42
An: keycloak-user(a)lists.jboss.org
Betreff: [keycloak-user] Group policy for authorization.
Hello,
Is there a *group policy *that we can use for authorization? This way we can
simply add new user to the group that we have created and the user can
automatically gain access to the resource.
Right now we have to create policy for every single new user and assign to
the resource.
Thanks,
R
--
View this message in context:
http://keycloak-user.88327.x6.nabble.com/Group-policy-for-authorization-t...
Sent from the keycloak-user mailing list archive at Nabble.com.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:58 p.m.
Should be available soon https://github.com/keycloak/keycloak/pull/4224.
On Wed, Jun 14, 2017 at 4:16 AM, Hübner, Bettina <Bettina.Huebner(a)kvbawue.de
wrote:
Hi R,
you can use a Group Mapper to add the group to the access token and then
create a JavaScript Policy that checks the group membership.
E.g. when using 'group' as 'Token Claim Name' property of the group
mapper
var identity = $evaluation.getContext().getIdentity();
var attributes = identity.getAttributes();
var n = attributes.getValue('group').size();
for (i = 0; i < n; i++) {
var group = attributes.getValue('group').asString(i);
if (group == "name of group needed to acces the resource") {
$evaluation.grant();
}
}
Regards
Bettina
-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@
lists.jboss.org] Im Auftrag von rafterjiang
Gesendet: Dienstag, 13. Juni 2017 19:42
An: keycloak-user(a)lists.jboss.org
Betreff: [keycloak-user] Group policy for authorization.
Hello,
Is there a *group policy *that we can use for authorization? This way we
can
simply add new user to the group that we have created and the user can
automatically gain access to the resource.
Right now we have to create policy for every single new user and assign to
the resource.
Thanks,
R
--
View this message in context: http://keycloak-user.88327.x6.
nabble.com/Group-policy-for-authorization-tp3940.html
Sent from the keycloak-user mailing list archive at Nabble.com.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1 p.m.
Btw, could you guys give more info on how you are using groups to authorize
access to resources/scopes ?
The PR I previously supports:
* Defining a claim from where groups are obtained. We do support hierarchy
checks but the claim must hold the paths and not only their name. In case
the claim only maps to group names, we do an exact match
* Select a group using the group tree as it stands today in the group list
page
* Define if access to a selected/allowed group also extends to children
On Wed, Jun 14, 2017 at 7:58 AM, Pedro Igor Silva <psilva(a)redhat.com> wrote:
Should be available soon
https://github.com/keycloak/keycloak/pull/4224.
On Wed, Jun 14, 2017 at 4:16 AM, Hübner, Bettina <
Bettina.Huebner(a)kvbawue.de> wrote:
> Hi R,
>
> you can use a Group Mapper to add the group to the access token and then
> create a JavaScript Policy that checks the group membership.
>
> E.g. when using 'group' as 'Token Claim Name' property of the group
mapper
>
> var identity = $evaluation.getContext().getIdentity();
> var attributes = identity.getAttributes();
> var n = attributes.getValue('group').size();
>
> for (i = 0; i < n; i++) {
> var group = attributes.getValue('group').asString(i);
> if (group == "name of group needed to acces the resource") {
> $evaluation.grant();
> }
> }
>
>
> Regards
> Bettina
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@
> lists.jboss.org] Im Auftrag von rafterjiang
> Gesendet: Dienstag, 13. Juni 2017 19:42
> An: keycloak-user(a)lists.jboss.org
> Betreff: [keycloak-user] Group policy for authorization.
>
> Hello,
>
> Is there a *group policy *that we can use for authorization? This way we
> can
> simply add new user to the group that we have created and the user can
> automatically gain access to the resource.
>
> Right now we have to create policy for every single new user and assign to
> the resource.
>
> Thanks,
> R
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.
> nabble.com/Group-policy-for-authorization-tp3940.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
2781
days inactive
2782
days old
4 comments
3 participants
participants (3)
-
Hübner, Bettina -
Pedro Igor Silva -
rafterjiang