[keycloak-dev] Role based Segregation of Duties in Keycloak

Thomas Darimont thomas.darimont at googlemail.com
Tue Sep 5 10:15:45 EDT 2017


Hello,


for a use case I need to support segregation of duties across multiple
applications.

> Segregation of Duties (SoD) is a mechanisms that prevents accumulating of
too

> much power in the hands of a single person. It places a constraints on
assignments

> of entitlements to users. For example SoD may prevent a single user to
create a

> request and also approve it.

Have you already considered adding this feature?

In the context of Keycloak this would mean to specify that two roles are

mutually exclusive determined based on the overall effective roles of

a user - the same may to service accounts.

Issue is here:

https://issues.jboss.org/browse/KEYCLOAK-3307

Some thoughts about adding that to Keycloak.

Support for “Segregation of Duties” (SoD) for a realm could be controlled
with

an on/off switch.

If SoD is enabled an administrator can select a set of roles which are then
treated

as mutually exclusive to the given role when creating or updating a role.

Mutually exclusive roles could be stored as a pair of role1:role2 (with
their ids) in a table

like e.g. keycloak_roles_mutex or keycloak_roles_sod.

If role1 is mutually exclusive to role2 then role2 is mutually exclusive to
role1.


   -

   Creating / Updating a Role with SoD

When creating a new or editing an existing role (role1), an administrator

could configure SoD by specifying a list of roles that are mutually
exclusive

to the current role (e.g. role2) -> perhaps called “Segregation of Duty
Roles”


   -

   Validating a role assignment with SoD

When assigning a role to a user, keycloak would check if the given role
combined with any effective role of a user matches a registered pair in the
keycloak_roles_mutex table.

If this is the case the assignment would be rejected with an error, perhaps
indicating

which roles cause the conflict. Otherwise the role can be assigned.

Same would apply to roles added to groups when a user wants to join a group.


   -

   Special Case: Updating a Role with SoD

When configuring SoD for an existing role it might happen that there exists
already a

user role mapping with an then invalid configuration. In that case an SoD
cannot be

enabled for the given role until the conflicting role mappings are cleared.

Until Keycloak provides a way to inspect granted and effective roles
assigned to a user

in more detail users would need to fall back to database queries to find
all conflicting

user role mappings.


   -

   Removing a Role with SoD configuration

When a role is removed and it had SoD roles configured those mappings must
be removed as well.


Thoughts?

Cheers,

Thomas


More information about the keycloak-dev mailing list