[keycloak-user] Fwd: regarding custom attributes and mapping resources to users
Pedro Igor
psilva at redhat.com
Thu Dec 22 06:33:33 EST 2016
Pedro Igor: Hello, answers inline.
On 12/22/2016 7:21:13 AM, Avinash Kundaliya <avinash at avinash.com.np> wrote:
Hi,
since I got no response to my previous email and i can see some action
happening in the mailing list, I will try to forward my question and
explain it again.
* Can a user update their own custom attributes ? I want to use custom
attributes to store data that would help in creating policies for
their permissions. From what i could understand from previous
discussions, it looks like users cannot, but its not confirmed or
mentioned anywhere.
Pedro Igor: In general, only admins via Administrator Console. There is an Account Management Page intended for user self-service, you can probably extend themes and provide the attributes you want to update there.
See https://github.com/keycloak/keycloak/tree/master/examples/themes.
* Related to the question above, is there a defined structure/ pattern
to define resource ownership in keycloak, eg. user-id *"xx"* is a
manger of resource-id *"yy"* , user-id "*aa*" is a viewer of
resource-id "*bb*" and so on and so forth.
Pedro Igor: Resources always have an owner. This is different than the role of an user for a particular resource. By default, resources belongs to the resource server itself. But when creating new resources via Protection API you can set the owner to be an user.
>From my question last time, What are the best practices to map
roles to specific resources? For example if i have a role called as
shop_owner how do i map a user with that role to a specific shop
(for example). Is this something that keycloak has defined
structures for ? How can i achieve such a structure with keycloak
and with/without using the keycloak authorization/resource services.
Pedro Igor: If the user is the owner of a shop, you probably want to create the resource setting the user as the owner. After that, you need to associate permissions to your resources.
For instance, you can use a JS Policy to grant access to the resource based on the owner of a resource. As well, associate other permissions based on other types of policies.
If you want an example about how to enforce permissions to a resource based on the owner, you can check the Photoz example application. There we demonstrate how to use Drools for that. But you can also use a JS policy.
Some help or push in the right direction would be helpful.
Regards,
Avinash
-------- Forwarded Message --------
Subject: regarding custom attributes and mapping resources to users
Date: Tue, 20 Dec 2016 16:14:03 +0545
From: Avinash Kundaliya
To: keycloak-user at lists.jboss.org
Hello Community,
I am fairly new to using keycloak and still getting immersed into the
authentication and authorization jargons. I have some basic queries that
i am curious about.
* Regarding the custom attributes for each user
(https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/users/attributes.html).
Is this something that a user can edit for themselves or is
something for an administrator to manage custom content for the
user? Basically, as an administrator can I put information that
should be hidden from the user as a custom attribute ?
* My second question is more about architecture of applications with
authentication and authorization. What are the best practices to map
roles to specific resources? For example if i have a role called as
shop_owner how do i map a user with that role to a specific shop
(for example). Is this something that keycloak has defined
structures for ? How can i achieve such a structure with keycloak
and with/without using the keycloak authorization/resource services.
Looking forward to some constructive discussions and some answers to the
basic issues I have.
Regards,
Avinash
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list