[keycloak-user] Admin console permissions vs. UMA Policies

Lamina, Marco marco.lamina at sap.com
Mon Nov 26 19:00:16 EST 2018


Hi,
I am unsure if my understanding of Keycloaks permission evaluation engine is flawed, or if there’s a bug in the system. I have a resource that is protected by multiple permissions. What is the expected behavior if one permission decides to DENY and another decides to PERMIT? I would expect that the overall decision would be PERMIT.
However, I can create both scenarios – overall decision PERMIT / DENY – depending on which permissions I set (see screenshots for details). I wasn’t able to find a detailed explanation in the docs, so I would be grateful for some clarity.

Thanks,
Marco

[cid:image001.png at 01D485A1.1D536320][cid:image002.png at 01D485A1.1D536320]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 113909 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181127/b93fb9d1/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 129167 bytes
Desc: image002.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181127/b93fb9d1/attachment-0003.png 


More information about the keycloak-user mailing list