[keycloak-user] Policy Evaluation Rules

Alexey Titorenko titorenko at dtg.technology
Tue Feb 5 04:12:26 EST 2019

Hello guys!

Could you please help me with understanding how policies are evaluated?

I have REST service with several operations. Each of them is protected by corresponding scope (create, view, update, delete, list). For each of these scopes I defined  scope based permission which controls access to its scope.

All of the permissions have just one ‘Default’ policy, which grants access to any user. An ‘delete’ permissions in addition has JavaScript-based policy which checks if caller is author of the document. So, only one permission is configured to evaluate ‘Author’ policy.

I expect, that ‘Author’ policy will only be evaluated, when ‘delete’ operation on service is called. But I see, that it is evaluated each time ANY operation is called.

So, if all policies are evaluated for each call, then what is a purpose of specifying policies in permissions? What is a right way to use policies then?

Thank you, 

More information about the keycloak-user mailing list