[keycloak-user] Questions about scope-permissions and resource types

[Álvaro Gómez]

Hi,

We are using UMA and scope-permissions to manage fine grained access to
resources. We've
noticed that we can specify a set of involved resources when defining
scope-permissions (The UI
only supports specifying a single resource but the API allows defining a
set of resources).

Referencing the involved resources in a scope-permission using a fixed list
could be problematic
if the size of that list is big enough. We think it would be useful to
group all the resources using a
resource-type and specify that resource-type in the scope-permission as one
can do in a
resource-permission. Is there any reason why this is not supported in a
scope-permission?

Having a resource type reference available in scope-permissions would be
useful solving the following scenario:

* Given a large amount of bank accounts, each one represented by a resource
(associated with some
  scopes like read, update or delete) in the Resource Server and owned by
an specific user.
* Users can manage their own accounts following the UMA rules (Sharing
specific scopes of their
  accounts with other users).
* Some user with an Administrator role should be able to read ALL accounts
without having them
  shared with him and without needing to update any permission when a new
bank account is created.

We would like to "group" all accounts using a resource-type and define a
single permission "can-read-bank-account"
which grants access to the scope read of all bank accounts to the owner
(via JS policy) and to any administrator
user (using a role policy). If we protect the following endpoint:

GET /accounts/3273af-544b3940-211da3

, using the resource "bank-account-3273af-544b3940-211da3" and the scope
"read", both the resource owner
and the Administrator user must be granted when evaluating the permission
"can-read-bank-account".