[keycloak-user] Keycloak relations between resources in a system

Pedro Igor Silva psilva at redhat.com
Fri Jun 30 07:27:20 EDT 2017


Hello ...

On Thu, Jun 29, 2017 at 1:26 PM, Kirill Liubun <igneuslynx at gmail.com> wrote:

>       Hi there,
>
>
> I am new to keycloak and try to use it as auth server in my solution.
>
> I have next entity's model: the *devices* are owned by a particular
> *company* to which belongs some *users*. A user with role *admin* can grant
> permission for viewing some set of devices to a regular user but only those
> devices that belong to admin's company. Thus all users except admins can
> view the only subset of all devices in the company. Based on requirements I
> decided to make a company as *group* and devices as keycloak's *resources*.
> To evaluating permissions I chose *rule-based policy*. The problem is I ran
> into next question about hot to implement other relations and business
> rules:
>
>    1.
>
>    Can I set the group as an owner of the resource to check this relation
>    in policy?
>

You can't. Right the owner should be an user (or service account). But I
think groups should also be included in the list if supported owners
though. I think that would help you to address your requirement [1].

In fact, maybe we should allow anything as the owner. I think we had some
discussions around this on https://issues.jboss.org/browse/KEYCLOAK-3135.

[1] https://issues.jboss.org/browse/JBEAP-11377


>    2.
>
>    Which mechanism better to use in my case to grant view permission on a
>    particular device to a regular user?
>
> If someone is more experienced in keycloak and knows how to better
> represent such model, please help.
>
> Thank you in advance.
>
> *P.S.*
>
> For the second question I have two solutions:
>
>    - Create on each device new role which name consists of *device's name*
> +
>    word *view* (This solution has big disadvantage because If user has over
>    1000 devices the *Permission Ticket* will be very huge)
>    - Represent mapping between user and device via scope -- when you admin
>    set relation between particular device and user to the resource (device)
>    added scope which name consists of *user id* plus word *view* (I know it
>    is not good way to use scopes but I have no idea can better configure
> this
>    relation in keycloak)
>

It seems company and realm have a 1:1 mapping ? If so, we end up missing
the group issue I mentioned previously.

Makes sense ?


> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list