[keycloak-user] How to implement this using Keycloak
Travis De Silva
traviskds at gmail.com
Fri Jul 29 20:37:02 EDT 2016
Hi Pedro,
I have just started looking at the Keycloak Authorization Services that was
introduced in 2.0.0.Final.
I too have a similar use case. For example, we have a project management
system where projects belong to a project manager. A project manager can
have more than one project. Each project manager has access to only their
own projects.
Project Managers in turn report to Portfolio Managers. So a Portfolio
Manager should be able to access all his/her project manager's projects.
At the moment, how we handle this is by having a seperate mapping within
the application and since we build/own the applicaiton, we filter out the
JPA query results based on the above rules.BTW, our services are REST based
(i.e. JAX-RS) KeyCloak is essentially used for Authentication via a
federated LDAP/AD provider and we use Keycloak roles to protect the
services/front end screen options.
Are you saying that we can filter the data outside the application via Keycloak
Authorization Services? Maybe I need to start looking at the demo examples
a bit more.
I believe Rong's use case is also the same so hope I have not hijacked this
thread.
Cheers
Travis
On Sat, 30 Jul 2016 at 09:51 Pedro Igor Silva <psilva at redhat.com> wrote:
> Hi Rong,
>
> Can you provide more details about your use case ? For instance:
>
> * Are you the service owner ?
> * Is your service using a REST-style ? How the API looks like ?
> * Is your service already protected using a bearer token ?
> * How are you representing the user's unit ? Realm, Group, role
> or just a user claim/attribute ?
> * What is behind: "Users should not have the access to patients
> in a unit that they are not authorized". What "not authorized" really means
> ? What kinds of policies you want to apply ?
>
> From what you described, it seems that you can achieve what you want
> with different approaches. It all depends on what you really need and how
> fine-grained you want to be. For instance, units can be represented as
> groups in Keycloak. You can enforce group membership in your application by
> introspecting the bearer token (issued by a Keycloak server to some
> client). The same logic applies if you are using roles or attributes to
> represent units.
>
> In 2.0.0.Final, we have introduced Keycloak Authorization Services.
> This one is related with externalized and fine-grained authorization, which
> gives you great flexibility to define, manage, deploy and enforce
> authorization polices to your application and organization. Indeed, one of
> the protocols we are supporting (not fully, yet), UMA, is pretty much based
> on several healthcare use cases. For instance, you can manage the policies
> that apply to patient records in Keycloak and also let Keycloak enforce
> these policies to requests sent to your application. In this case, you can
> define not only a "from unit have access" policy, but also apply even more
> fine-grained policies to your service using the different policy providers
> (ABAC and Context-based, RBAC, Time-based, Rules-based, User-based, more to
> come...) we provide. We are still missing some very nice parts of UMA
> though, as currently we are focusing on API security use cases. But I hope
> to get those missing parts implemented soon.
>
> Regards.
> Pedro Igor
>
>
> ----- Original Message -----
> From: "Rong Sang (CL-ATL)" <rsang at carelogistics.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, July 29, 2016 5:23:20 PM
> Subject: [keycloak-user] How to implement this using Keycloak
>
>
>
> Hi all,
>
>
>
> I’m doing a POC using Keycloak. The normal authentication/authorization
> features work well, but I have the following requirement that cannot find a
> straightforward solution for. I hope some security experts in the mailing
> list can point me to the right direction.
>
>
>
> Here is the requirement. A hospital has multiple units. Users should not
> have the access to patients in a unit that they are not authorized. I have
> one service that returns a list of patients across units. What’s the best
> way to set up authorization for this service?
>
>
>
> As I said earlier, I cannot find a feature for me to implement this. Any
> idea is greatly appreciated.
>
>
>
> Thanks,
>
>
>
> Rong
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160730/7abb0d5e/attachment-0001.html
More information about the keycloak-user
mailing list