[keycloak-user] Scope Permissions with Resource Type

Pedro Igor Silva psilva at redhat.com
Mon Jun 10 08:21:52 EDT 2019


You can create scope-based permission for a specific scope (without set a
resource). Would that help?

I think we could also think about merging resource-based permission into
scope-based permission so that we only have a single type of permission.

Regards.
Pedro Igor

On Fri, Jun 7, 2019 at 6:09 PM Farzad Panahi <farzad.panahi at gmail.com>
wrote:

> Hi,
>
> I have a client authorization set-up like the following:
>
> RERSOURCE_1:  [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
> RERSOURCE_2:  [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
> RERSOURCE_3:  [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>
> USER_1: USER_GROUP_A
> USER_2: USER_GROUP_A
>
> USER_GROUP_A_POLICY: GRANT ACCESS TO USER_GROUP_A
>
> I want to create permissions to give only SCOPE_READ access (not
> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA.
>
> If I create a resourced based permission then it will give grant access to
> both scopes.
> Unfortunately I cannot create a scope based permission because scope
> permission does not support resource type. It only supports resource. If I
> want to use scoped based permission then I have to create permission for
> every single resource in my resource type.
>
> I was wondering if there is a reason that scope based permission does not
> support resource type?
>
> Also anyone has any idea how I can achieve my requirement given the
> limitations that we have? Is there a way to create a policy that grants
> access only to a certain scope?
>
>
> Cheers
>
> Farzad
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list