[keycloak-user] Keycloak relations between resources in a system
Pedro Igor Silva
psilva at redhat.com
Fri Jun 30 07:27:20 EDT 2017
Hello ...
On Thu, Jun 29, 2017 at 1:26 PM, Kirill Liubun <igneuslynx at gmail.com> wrote:
> Hi there,
>
>
> I am new to keycloak and try to use it as auth server in my solution.
>
> I have next entity's model: the *devices* are owned by a particular
> *company* to which belongs some *users*. A user with role *admin* can grant
> permission for viewing some set of devices to a regular user but only those
> devices that belong to admin's company. Thus all users except admins can
> view the only subset of all devices in the company. Based on requirements I
> decided to make a company as *group* and devices as keycloak's *resources*.
> To evaluating permissions I chose *rule-based policy*. The problem is I ran
> into next question about hot to implement other relations and business
> rules:
>
> 1.
>
> Can I set the group as an owner of the resource to check this relation
> in policy?
>
You can't. Right the owner should be an user (or service account). But I
think groups should also be included in the list if supported owners
though. I think that would help you to address your requirement [1].
In fact, maybe we should allow anything as the owner. I think we had some
discussions around this on https://issues.jboss.org/browse/KEYCLOAK-3135.
[1] https://issues.jboss.org/browse/JBEAP-11377
> 2.
>
> Which mechanism better to use in my case to grant view permission on a
> particular device to a regular user?
>
> If someone is more experienced in keycloak and knows how to better
> represent such model, please help.
>
> Thank you in advance.
>
> *P.S.*
>
> For the second question I have two solutions:
>
> - Create on each device new role which name consists of *device's name*
> +
> word *view* (This solution has big disadvantage because If user has over
> 1000 devices the *Permission Ticket* will be very huge)
> - Represent mapping between user and device via scope -- when you admin
> set relation between particular device and user to the resource (device)
> added scope which name consists of *user id* plus word *view* (I know it
> is not good way to use scopes but I have no idea can better configure
> this
> relation in keycloak)
>
It seems company and realm have a 1:1 mapping ? If so, we end up missing
the group issue I mentioned previously.
Makes sense ?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list