[keycloak-user] RBAC : adding permissions to roles

Avinash Kundaliya avinash at avinash.com.np
Tue Jan 10 07:04:16 EST 2017


Thanks for thinking through with me. It has been really helpful.

Question Inline


On 1/9/17 23:18, Pedro Igor wrote:
>>
>> On 1/9/2017 11:46:02 AM, Avinash Kundaliya <avinash at avinash.com.np> 
>> wrote:
>>
>> Hi Stian,
>> Thanks for the prompt response, I have probably read through the guide a
>> number of times, Its helpful but it takes a while (and some struggle) to
>> probably understand it and implement in practice.
>>
>> Is there an example of how to do this simply, or would one have to
>> create scopes (which is like a permission), policies (one for each role)
>> and permissions, that would map the role to a scope ?
> *Pedro Igor:* You can create a policy for each role or a single one 
> with the roles you want to enforce before accessing a resource/scope. 
> It really depends on your requirements.
>>
>>
>> Also, possibly a related question, does role-type policy also take in
>> account roles that a user gets effectively because of a composite role?
>> If so, the "Evaluate" page always gives me a Deny. Another approach, If
>> i add the scope to each policy, then it still gives me a Deny (I tried
>> setting the strategy to Affirmative, still didn't help). 
> *Pedro Igor:* I think we are not handling composite roles. But I think 
> you can achieve a similar behavior you create a single policy with all 
> roles that are allowed to access your protected resource.
>
> Role policies also allow you to mark a specific role as "required" so 
> users must be granted with all required roles and any of the 
> "non-required" roles you defined.
>
> If you want to say, for instance, "Roles A and B Can Perform Action C 
> on Resource D", you can just create:
>
> 1) Resource D, Scope C and associated Scope C with Resource D
> 2) Role Policy for Roles A and B (in this case users with any of these 
> roles are granted) or separated policies for each role if you need to 
> (you may want to reuse the role policy for each role to build other 
> permissions or policies)
> 3) Create a permission that puts together Resource D + Scope C + 
> Policies. Where the latter is basically the role policies you created.
>
> Does that work for you ?
*Avinash:* This definitely makes a lot of sense. I eventually created 
one policy for each role and then created permission per scope and added 
the roles to it. Now, the next step that i want to achieve is to find 
out the scopes that a role can access for a resource. Is there an API 
endpoint or a way to list out the scopes for a role.
So, from above example: For the query "What can Role A do on Resource D" 
it should return "*Action C, ... *"

>>
>> I hope the description isnt abstract, if so I will try to add
>> screenshots next time.
>>
>> Regards,
>> Avinash
>>
>>
>> On 1/9/17 19:14, Stian Thorgersen wrote:
>> > You can either use our authorization services (see
>> > https://keycloak.gitbooks.io/authorization-services-guide/content/) to
>> > manage permissions centrally through Keycloak or you can manage it on
>> > your own within the application.
>> >
>> > On 9 January 2017 at 14:19, Avinash Kundaliya
>> > > wrote:
>> >
>> > Hello,
>> >
>> > I have a very basic question and am curious how to model this via
>> > keycloak.
>> >
>> > In my application I have some roles. I want to map each role to a
>> > set of
>> > permissions so that based on those permissions i can check if the user
>> > has access to a specific action/resource in my application server.
>> > (pretty much how classically RBAC is done)
>> >
>> > I am curious if there is a defined pattern/way of modeling such a
>> > behavior in keycloak, or would the best way to do this would be to
>> > define and map permissions (to roles) in the application (i.e outside
>> > keycloak). What is the best practice for such a case?
>> >
>> > Regards,
>> > Avinash
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> >
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list