[keycloak-user] Questions about scope-permissions and resource types

Pedro Igor Silva psilva at redhat.com
Mon Jul 22 09:15:11 EDT 2019 

Hi Álvaro,

There is no restriction for doing that. I think this issue is related:
https://issues.jboss.org/browse/KEYCLOAK-10663.

Regards.
Pedro Igor

On Mon, Jul 22, 2019 at 9:55 AM Álvaro Gómez <
alvaro.gomez.gimenez at tecsisa.com> wrote:

> Hi,
>
> We are using UMA and scope-permissions to manage fine grained access to
> resources. We've
> noticed that we can specify a set of involved resources when defining
> scope-permissions (The UI
> only supports specifying a single resource but the API allows defining a
> set of resources).
>
> Referencing the involved resources in a scope-permission using a fixed list
> could be problematic
> if the size of that list is big enough. We think it would be useful to
> group all the resources using a
> resource-type and specify that resource-type in the scope-permission as one
> can do in a
> resource-permission. Is there any reason why this is not supported in a
> scope-permission?
>
> Having a resource type reference available in scope-permissions would be
> useful solving the following scenario:
>
> * Given a large amount of bank accounts, each one represented by a resource
> (associated with some
>   scopes like read, update or delete) in the Resource Server and owned by
> an specific user.
> * Users can manage their own accounts following the UMA rules (Sharing
> specific scopes of their
>   accounts with other users).
> * Some user with an Administrator role should be able to read ALL accounts
> without having them
>   shared with him and without needing to update any permission when a new
> bank account is created.
>
> We would like to "group" all accounts using a resource-type and define a
> single permission "can-read-bank-account"
> which grants access to the scope read of all bank accounts to the owner
> (via JS policy) and to any administrator
> user (using a role policy). If we protect the following endpoint:
>
> GET /accounts/3273af-544b3940-211da3
>
> , using the resource "bank-account-3273af-544b3940-211da3" and the scope
> "read", both the resource owner
> and the Administrator user must be granted when evaluating the permission
> "can-read-bank-account".
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list