[keycloak-dev] Fw: [keycloak-user] Fw: Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer

Sushil Singh sushil.singh at guavus.com
Fri Nov 15 05:42:42 EST 2019 

Based on my understanding ,

In keycloak what ever you want to protect is a Resource

In your case Resources will be created based on Organizations

Organization (Resources)

Example

/org/O1
/org/O2
/org/O3
/org/O4

So create two roles and associate policies with them

1. Account-role  [ assign Account-role to the users / groups whom you want to give multiple access]
2. General-role  [ assign General-role to users / groups whom you don’t want to give organization]

So you can create Role based policy and attach that policy to the permission

You can Associate the Resource with a Permission and Associate the permission with the above Policies

Checkout these links to get an overview of how to manage  resources, policies and permissions

https://www.keycloak.org/docs/latest/authorization_services/index.html#_resource_overview

https://www.keycloak.org/docs/latest/authorization_services/index.html#_policy_overview

https://www.keycloak.org/docs/latest/authorization_services/index.html#_permission_overview
Authorization Services Guide - Keycloak<https://www.keycloak.org/docs/latest/authorization_services/index.html#_permission_overview>
For instance, you might have a Bank Account resource that represents all banking accounts and use it to define the authorization policies that are common to all banking accounts. However, you might want to define specific policies for Alice Account (a resource instance that belongs to a customer), where only the owner is allowed to access some information or perform an operation.
www.keycloak.org

Thanks

Sushil
Authorization Services Guide - Keycloak<https://www.keycloak.org/docs/latest/authorization_services/index.html#_policy_overview>
For instance, you might have a Bank Account resource that represents all banking accounts and use it to define the authorization policies that are common to all banking accounts. However, you might want to define specific policies for Alice Account (a resource instance that belongs to a customer), where only the owner is allowed to access some information or perform an operation.
www.keycloak.org







________________________________
From: Tumenjargal B <b.tume at yahoo.com>
Sent: 15 November 2019 15:39
To: Stian Thorgersen <sthorger at redhat.com>; Pedro Igor Silva <psilva at redhat.com>; Sushil Singh <sushil.singh at guavus.com>
Subject: Re: [keycloak-user] Fw: Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer

Hello dears,

I want to integrate old system to keycloak. A user has many organization.
my case  Users have account and general account position.  a Account position has working many organization.  How to intergate keycloak? How to save organization data of user on keycloak?

Thank you



On Friday, November 15, 2019, 05:52:03 PM GMT+8, Sushil Singh <sushil.singh at guavus.com> wrote:




________________________________
From: Sushil Singh <sushil.singh at guavus.com<mailto:sushil.singh at guavus.com>>
Sent: 15 November 2019 15:14
To: Vishnu Prakash <vishnuprakash323 at gmail.com<mailto:vishnuprakash323 at gmail.com>>; Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>; Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Subject: Re: [keycloak-user] Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer

Hi,

I think the use case is similar to what I am proposing

@Vishnu Prakash<mailto:vishnuprakash323 at gmail.com<mailto:vishnuprakash323 at gmail.com>>

I have also proposed to impose custom policy-enforcement on a set of resources.

https://github.com/keycloak/keycloak/pull/6448
[https://repository-images.githubusercontent.com/11125589/bd31cf00-70f4-11e9-9fb2-4f241568e586]<https://github.com/keycloak/keycloak/pull/6448>
KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring adapters by sushil-singh-guavus · Pull Request #6448 · keycloak/keycloak<https://github.com/keycloak/keycloak/pull/6448>
KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring adapters https://issues.jboss.org/browse/KEYCLOAK-11300
github.com


Where user can specify a Map<Resource, Set<scopes>> and it will evaluate to a positive result only if it satisfies permission for all resources in the Map

Currently I don't think this functionality is available in keycloak

Thanks,

Sushil
________________________________
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Vishnu Prakash <vishnuprakash323 at gmail.com<mailto:vishnuprakash323 at gmail.com>>
Sent: 15 November 2019 10:01
To: keycloak-user <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: [keycloak-user] Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer

Hi,
I want to protect my REST api's using Keycloak. I am deploying my
application in Wildfly application server and using keyclaok wildfly
adapters.
Is it possible to associate a REST api end point to multiple resources in
keycloak using the Policy Enforcer. If the user is having permission to
access all the associated resources, then only access should be granted to
the api.

Any input will be a great help to me.

Thanks & Regards,
Vishnu Prakash
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-dev mailing list