[keycloak-user] How to get permission to all child resources

[Pedro Igor Silva]

Hey,

In your application you could perform some logic that asks permissions for
the resource with URI "/Document/Administration". Right now Keycloak does
not perform any parent/child mapping between resources on the server side.

Would that work for you ?

Regards.
Pedro Igor

On Sun, Mar 4, 2018 at 1:09 PM, Nhut Thai Le <ntle at castortech.com> wrote:

> Hello,
>
> We are new to Keycloak and we are exploring its abilities for securing our
> web api. One things we are trying to do is to get all permissions
> associated with a user for all child resources in a RPT. For example, let's
> say I'm trying to expose the folder Document on my file system to the
> network via REST. This Document folder may have millions of files and
> subfolders, most of them are accessible by all Users, some are only
> available to Admin, and some are for Customers only.
>
> On Keycloak server, i would define 3 resources named:
> "All Docs" with URL /Document/* and Role policy granting access to all
> Users
> "For Admin" with URL /Document/Administration/* and Role policy granting
> access to only Admins
> "For Customer" with URL /Document/Products/* and Role policy granting
> access to only Customers
>
> If i use the entitlement API, i can ask if Sarah who is a Users and a
> Customers can access "All Docs". However, if Sarah want to know/list all
> files under /Document/Administration/Contracts/Sarah/* then how should i
> ask entitlement API since this URL is not declared as a resource in
> Keycloak? If i can call the API for this path, I would like to receive from
> the API some permissions info starting from /Document/Administration
> because this is the closest ancestor known to Keycloak regarding the path
> being asked.
>
> Hope to get some insight soon
>
> ​Thai​
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user