[keycloak-user] Keycloak ACL for a specific user on a specific object

Pedro Igor Silva psilva at redhat.com
Mon Apr 17 08:29:45 EDT 2017


We are also lacking a Group-Based Policy. Once we have it, you will be able
to address the requirements you mentioned.

So, for "user1 ONLY of group1, to have WRITE access" you would need to
define a specific permission (e.g.: scope permission) telling that user1
can WRITE.

Maybe you can test this behavior today using roles.

On Fri, Apr 14, 2017 at 3:15 AM, Ilya Korol <llivezking at gmail.com> wrote:

> Generally Yes. First of all carefully study Authorization Docs.
>
> According to you case:
>
> /my/entity/{entity_id} - this is your resource and you will have to
> define it in keycloak
>
> Any access to resources is based on permissions of user. (In other words
> KC adapters will check whether user has or hasn't permission to
> specified resource). So the main question is how user will acquire his
> permissions to resources. This could be achieved via policies, so in you
> case there could be a policy that checks whether user in group1, and if
> so grant him permission to read (HTTP_GET) resource.
>
> Take a look to
> https://keycloak.gitbooks.io/documentation/authorization_
> services/index.html
> (it takes from me reasonable amount of time and experiments to "get the
> picture", so don't be hurry)
>
>
> You should also check out authz examples from keycloak repo.
>
>
> If you will try to use Spring Security adapter read this thread
> http://lists.jboss.org/pipermail/keycloak-user/2017-March/010107.html
> about some issues that i faced with this adapter and suitable solutions.
>
>
>
> On 13.04.2017 17:25, Antoine Carton wrote:
> > Hello,
> >
> > Is there a way to manage fine grained authorizations with Keycloak like
> in
> > the following scenario:
> >
> > - A user user1 belongs to a group group1
> > - group1 has READ access to the REST path: GET /my/entity/{entity_id}
> > - group1 has not WRITE access to this path: POST /my/entity/{entity_id}
> >
> > This means that all users of that group can only READ at that path,
> > whatever the {entity_id} is.
> >
> > The question is:
> > Is it possible to allow user1 ONLY of group1, to have WRITE access to a
> > specific entity_id.
> >
> > The purpose is to use the Spring Boot/Spring Security Adapter and replace
> > what Spring security does with @PreAuthorize annotation for example.
> >
> > Thank you for your help,
> >
> > Best regards
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list