[keycloak-user] How to implement access to resources based on resource roles

Alfonso Alba García alfonso at alfonsoalba.com
Wed Apr 17 12:45:05 EDT 2019 

Hi guys,

We have a rails app with a very simple Role-Based access control model. 
The thing is that this very simple model needs to become something much 
more fine grained and I think that keycloak is the right tool for that.

We need a permission system to do the following:

* "Organisations" have users with different roles: Owner, Admins, 
Collaborators and Members. These roles are what we call "Resource Roles"

* "Organisations" have modules or packages (for example "Events package" 
or "Email package") that the owner can buy. Only the users with resource 
role "Owner" can buy these item

* Owners and Admins of an organisation can edit the organization profile 
or any resource of the organization (Event, Meeting, Contact, etc)

* Owners and Admins of an organisation can add users to packages. For 
example, user XXXX will have permission to edit,create,destroy and view 
any resource created in module YYYY in organisation ZZZZ.

* Owners and Admins can add Collaborators: a collaborator will have 
permission to access certain organisation resources, for example, 
collaborator XXX will have permission to edit Event YYYYY

* Owners and Admins can add Members: a member will have permission to 
see all the resources from all the active packages that are marked as 
"visible by members only"

* Members can edit the organization resources they create inside the 
packages they have access to

* Packages have limits: if you the organisation is free, you can only 
create 2 events for example.

*etc, etc, etc...

These are just a few of the permissions we need. At the moment, the 
product owner is changing the roles and permissions regularly trying to 
find the best way to monetise and test the business model. We need a way 
to deploy those changes as soon as possible and I think keycloak can 
help us with this task!

I've done some research about this use case and I found these two 
threads [1], [2] in which a similar (simplified) model is discussed.

I've installed keycloak locally and now I'm trying to implement these 
requirements. I've started with the ones I think are the easiest: The 
organisation Owner an Administrator. Following what's suggested in the 
threads mentioned above, I implemented these resource roles as follows:

* Create three scopes: organisation:edit, organisation:view, 
organisation:billing

* Create a resource "Organisation 1" with scopes organisation:edit, 
organisation:view and organisation:billing

* Create two client roles "Organisation 1 Owner" and "Organisation 1 
Administrator"

* Create two policies: "Organisation 1 Owner Policy" and "Organisation 1 
Administrator Policy"

* Create one scope-permission "Organisation 1 Managers Permissions" that 
allows users with roles "Organisation 1 Owner" or "Organisation 1 
Administrator" get permission for the scopes organisation:edit and 
organisation:view

* Create one scope-permission "Organisation 1 Owners Permissions" that 
allows users with roles "Organisation 1 Owner" access the scope 
organisation:billing

I created these for three organisations and as well as several users. 
I've been playing around with them using the Evaluate functionality of 
the keycloak client and apparently everything is working fine. Now I'm 
thinking about how I could implement the access to the packages I 
mentioned above, the members, etc, but before I continue I have several 
questions:

* Since users can have different roles in different organisations, I'm 
creating only one realm. I guess that's ok since different realms do not 
share users.

* For every organisation that we create in our application we will need 
to create all the policies, roles and permissions described above. Is 
this supposed to be like that or am I missing something?

* If this is the way to do it, I was wondering if it's a good idea to 
create a Resource Server (i.e. a new client inside the realm) for each 
organisation. This way I can create a client organisation-1-client with 
all the resources, policies and permissions for "Organisation 1". I 
think that this will make deleting an organisation quite easy after the 
user deletes the organisation, I just need to delete de client 
organisation-1-client. I don't know if this a good idea or not, has it 
any negative impact in performance? will this make the application code 
more difficult? or may be this not a good practice for any reason?

Thanks for your time. Regards,

Alfonso


-------
[1] http://lists.jboss.org/pipermail/keycloak-user/2016-August/007309.html
[2] http://lists.jboss.org/pipermail/keycloak-user/2018-June/014347.html

More information about the keycloak-user mailing list