[keycloak-user] Policy Evaluation Rules

Pedro Igor Silva psilva at redhat.com
Tue Feb 5 07:12:04 EST 2019

It depends on how you are sending the authorization requests. If you
request permissions to a resource, permissions associated with the resource
and any associated scope will be evaluated. However, if you only send a
authorization request for a particular scope only permissions (and
associated policies) associated with that scope are evaluated.

On Tue, Feb 5, 2019 at 7:19 AM Alexey Titorenko <titorenko at dtg.technology>

> Hello guys!
> Could you please help me with understanding how policies are evaluated?
> I have REST service with several operations. Each of them is protected by
> corresponding scope (create, view, update, delete, list). For each of these
> scopes I defined  scope based permission which controls access to its scope.
> All of the permissions have just one ‘Default’ policy, which grants access
> to any user. An ‘delete’ permissions in addition has JavaScript-based
> policy which checks if caller is author of the document. So, only one
> permission is configured to evaluate ‘Author’ policy.
> I expect, that ‘Author’ policy will only be evaluated, when ‘delete’
> operation on service is called. But I see, that it is evaluated each time
> ANY operation is called.
> So, if all policies are evaluated for each call, then what is a purpose of
> specifying policies in permissions? What is a right way to use policies
> then?
> Thank you,
> Alexey.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list