[keycloak-user] getting resource owner and loggedin (identity) user attributes in evaluation context

Dmitry Telegin dt at acutus.pro
Sat Jan 5 10:28:21 EST 2019 

Hello Suresh,

I've experimented a bit with JavaScript policy, I hope with Drools things will be similar.

You can obtain a user's custom attributes using the following expression:

	var attrs = $evaluation.realm.getUserAttributes(id);

where id is either $evaluation.context.identity.id (the user being authorized) or $evaluation.permission.resource.owner (UMA resource owner).

Hope this helps,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Sat, 2019-01-05 at 13:26 +0000, Suresh Mali wrote:
> Each user has one or more resource e.g. 'account'
> Each user is assigned one or more  agents.  (agent is different user in the system with role agent)
> I have added them in user attributes e.g let us say  there is user_a   who has account resource
> there are users with agent roles  say  'agent_a', 'agent_b', 'agent_c'
> In user_a  is attribute  I have added attribute
> allowed_agents =  [ 'agent_a' ,'agent_b']
> in agent_a & agent_b  have attibutes 
> allowed_users =  ['user_a'] Now in policy evaluation   I want to ensure when agent_a & agent_b  try to access resource owned by user_a  they are allowed while agent_c is not allowed
> how do I access resource owners  attributes  and  or  identity ownes attributes
> I want to write a evaluation like something like this 
> is it possible to get $permission.resource.owner.attributes["allowed_agent"]to return ['agent_a','agent_b']or $identity.attributes['allowed_users']  to return ['user_a']   so that I can evaluate the match
> something like beowrule "Authorize Resource Owner" 
>     dialect "mvel" 
>     when 
>        $evaluation : Evaluation( 
>            $identity: context.identity, 
>            $permission: permission, 
>            $permission.resource.owner.attribute['allowed_agents'].indexOf($identity.id)
>        ) 
>     then 
>         $evaluation.grant(); 
> end 
> 
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list