[keycloak-user] Scope Permissions with Resource Type

Farzad Panahi farzad.panahi at gmail.com
Mon Jun 10 15:43:58 EDT 2019 

Hi Pedro,

If I create a scope-based permission without specifying the resource, then
that permission will apply to all the resources.
For instance in the example I mentioned in my previous email:

I want to create permissions to give only SCOPE_READ access (not
SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA.

If I grant a permission for SCOPE_READ without specifying the resource then
basically I am granting SCOPE_READ to all the resources which is not what I
want. I want to only give SCOPE_READ to a specific set of resources.

I think as you mentioned merging resource-based and scope-based permissions
is a good idea and would work better. But now that we do not have this
feature is there any other way to accomplish this somehow using policies or
something else?

Cheers

Farzad

On Mon, Jun 10, 2019 at 5:22 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> You can create scope-based permission for a specific scope (without set a
> resource). Would that help?
>
> I think we could also think about merging resource-based permission into
> scope-based permission so that we only have a single type of permission.
>
> Regards.
> Pedro Igor
>
> On Fri, Jun 7, 2019 at 6:09 PM Farzad Panahi <farzad.panahi at gmail.com>
> wrote:
>
>> Hi,
>>
>> I have a client authorization set-up like the following:
>>
>> RERSOURCE_1:  [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>> RERSOURCE_2:  [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>> RERSOURCE_3:  [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA
>>
>> USER_1: USER_GROUP_A
>> USER_2: USER_GROUP_A
>>
>> USER_GROUP_A_POLICY: GRANT ACCESS TO USER_GROUP_A
>>
>> I want to create permissions to give only SCOPE_READ access (not
>> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA.
>>
>> If I create a resourced based permission then it will give grant access to
>> both scopes.
>> Unfortunately I cannot create a scope based permission because scope
>> permission does not support resource type. It only supports resource. If I
>> want to use scoped based permission then I have to create permission for
>> every single resource in my resource type.
>>
>> I was wondering if there is a reason that scope based permission does not
>> support resource type?
>>
>> Also anyone has any idea how I can achieve my requirement given the
>> limitations that we have? Is there a way to create a policy that grants
>> access only to a certain scope?
>>
>>
>> Cheers
>>
>> Farzad
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

More information about the keycloak-user mailing list