[keycloak-user] Keycloak relations between resources in a system

Kirill Liubun igneuslynx at gmail.com
Fri Jun 30 11:47:39 EDT 2017


Thank you for your answer. Mapping company as the realm is a good idea I
thought about this too but it has a big disadvantage for my case.
I forgot to note that device can change a company and if I made the company
as a realm, it will complicate the way of transferring the device from one
company to another. Also, as far as I know, I can specify in keycloak
adapter only one realm thus I need to create separate resource server per
company instead of storing all data in one. It makes my architecture more
tangled and harder to implement future features those require executing
operations in more than one company.
What do you suggest to do in such case?
Also, I want to ask one more question: Can keycloak's javascript-based
policy call API of remote service? I need this because relations in my
system can become much complex (will be added companies' departments and
subdepartments, a device can be into two or more departments at the same
time). And as far as I know, keycloak don't allow to implement
sophisticated *hierarchical (network) relation model *among system's
resources. So, I decided to create separate *mapping server* that would
know all those relations and keycloak policies would call one to figure out
to grant or deny access to the resources.

On Fri, Jun 30, 2017 at 6:46 PM, Kirill Liubun <igneuslynx at gmail.com> wrote:

> Thank you for your answer. Mapping company as the realm is a good idea I
> thought about this too but it has a big disadvantage for my case.
> I forgot to note that device can change a company and if I made the
> company as a realm, it will complicate the way of transferring the device
> from one company to another. Also, as far as I know, I can specify in
> keycloak adapter only one realm thus I need to create separate resource
> server per company instead of storing all data in one. It makes my
> architecture more tangled and harder to implement future features those
> require executing operations in more than one company.
> What do you suggest to do in such case?
> Also, I want to ask one more question: Can keycloak's javascript-based
> policy call API of remote service? I need this because relations in my
> system can become much complex (will be added companies' departments and
> subdepartments, a device can be into two or more departments at the same
> time). And as far as I know, keycloak don't allow to implement
> sophisticated *hierarchical (network) relation model *among system's
> resources. So, I decided to create separate *mapping server* that would
> know all those relations and keycloak policies would call one to figure out
> to grant or deny access to the resources.
>
>
> On Fri, Jun 30, 2017 at 2:27 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hello ...
>>
>> On Thu, Jun 29, 2017 at 1:26 PM, Kirill Liubun <igneuslynx at gmail.com>
>> wrote:
>>
>>>       Hi there,
>>>
>>>
>>> I am new to keycloak and try to use it as auth server in my solution.
>>>
>>> I have next entity's model: the *devices* are owned by a particular
>>> *company* to which belongs some *users*. A user with role *admin* can
>>> grant
>>> permission for viewing some set of devices to a regular user but only
>>> those
>>> devices that belong to admin's company. Thus all users except admins can
>>> view the only subset of all devices in the company. Based on
>>> requirements I
>>> decided to make a company as *group* and devices as keycloak's
>>> *resources*.
>>> To evaluating permissions I chose *rule-based policy*. The problem is I
>>> ran
>>> into next question about hot to implement other relations and business
>>> rules:
>>>
>>>    1.
>>>
>>>    Can I set the group as an owner of the resource to check this relation
>>>    in policy?
>>>
>>
>> You can't. Right the owner should be an user (or service account). But I
>> think groups should also be included in the list if supported owners
>> though. I think that would help you to address your requirement [1].
>>
>> In fact, maybe we should allow anything as the owner. I think we had some
>> discussions around this on https://issues.jboss.org/browse/KEYCLOAK-3135.
>>
>> [1] https://issues.jboss.org/browse/JBEAP-11377
>>
>>
>>>    2.
>>>
>>>    Which mechanism better to use in my case to grant view permission on a
>>>    particular device to a regular user?
>>>
>>> If someone is more experienced in keycloak and knows how to better
>>> represent such model, please help.
>>>
>>> Thank you in advance.
>>>
>>> *P.S.*
>>>
>>> For the second question I have two solutions:
>>>
>>>    - Create on each device new role which name consists of *device's
>>> name* +
>>>    word *view* (This solution has big disadvantage because If user has
>>> over
>>>    1000 devices the *Permission Ticket* will be very huge)
>>>    - Represent mapping between user and device via scope -- when you
>>> admin
>>>    set relation between particular device and user to the resource
>>> (device)
>>>    added scope which name consists of *user id* plus word *view* (I know
>>> it
>>>    is not good way to use scopes but I have no idea can better configure
>>> this
>>>    relation in keycloak)
>>>
>>
>> It seems company and realm have a 1:1 mapping ? If so, we end up missing
>> the group issue I mentioned previously.
>>
>> Makes sense ?
>>
>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>


More information about the keycloak-user mailing list