[keycloak-user] Authorization services: Trying to model authz for a typical application.

Ushanas Shastri ushanas.shastri at viteos.com
Thu Aug 11 03:33:19 EDT 2016 

Classification: INTERNAL
Anyone have any ideas/suggestions?

Regards, Ushanas.
Viteos Fund Services Ltd | www.viteos.com<http://www.viteosfundservices.com/>
Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240
Cell : +91-9820225580
Email : ushanas.shastri at viteos.com<mailto:ushanas.shastri at viteos.com>

From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Ushanas Shastri
Sent: Friday, August 05, 2016 12:24 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Authorization services: Trying to model authz for a typical application.


Classification: INTERNAL
Hello,

I've been looking at all the Authz examples with 2.1.0 CR1, and I've been trying to fit/model them for my application.

Let's say there's a feature in an application to process loan applications. Possible actions on a loan application are to view, edit, approve or reject them. However, users can take specific actions on applications based on the geographical zone in which requests are raised.

For e.g.

User A can view applications across all Zones, but approve or reject applications only if they are from Zone A.
User B can only view applications from Zone B, and cannot do anything else.
User C can do all actions for all Zones.

In the authorization tab, Loan Application is created as a resource, with scopes created for each action (view/edit/approve/reject).

Scope based Permissions are created for each scope, and are attached to a policy. Now the policy is where I'd to implement the check on the zone.

I could create each Zone as a group or as a client role. I chose to create a client role for each Zone.

Now, if user A logs in to the application, I have a screen where they can search for applications to view/process.  User A should get to see a list of all applications, since he has view access to all, but only process

When I request for an authorization through the entitlement API, the response tells me that Zone A and Zone B are the client roles, and view and approve and reject are allowed scopes, but does *not* say that Zone B scope is  only view, and Zone A scopes are view, approve and reject. The response is a list of client roles and scopes (with resources), but does not link the client role to a resource-scope combination. I couldn't find a way to make individual requests (like tell me what scopes are allowed for this resource, for this particular client role/group?)

As a result, I cannot use the idea of creating zones as either client roles or groups.

How then do I model this in KeyCloak?  Thank you for reading the long example, and looking forward to a response!

Regards, Ushanas.

This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entit.
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160811/a382b17c/attachment.html

More information about the keycloak-user mailing list