[keycloak-user] [Authorization] User/Group based resource management

sesnor.silva at sapo.pt sesnor.silva at sapo.pt
Thu Nov 14 11:27:25 EST 2019


Hello there,

I'm trying to determine the best way to manage access to resources in  
a per user/group manner. I know it's possible to define an owner for a  
resource but in my use-case I'd like to give a ownership to a resource  
to a group of users.

This way, if any user outside of this group requested access to a  
resource, any user inside the group would be able grant access  
permissions to it.

What I'm currently doing is defining an attribute for each resource  
called "owners" and giving it a comma separated list of IDs of the  
users that own the resource. Then in the policies I control access  
like this:

var permission = $evaluation.getPermission();
var identity = $evaluation.getContext().getIdentity();
var resource = permission.getResource();

var attributes = resource.getAttributes();

if (attributes['owners']) {
     for(var i in attributes['owners']) {
         if (attributes['owners'][i] == identity.getId()) {
             $evaluation.grant();
         }
     }
}

It works ok... But the downside is, if in my application I want to  
list all resources the user has access to, this requires me to query  
every individual resource and iterate this comma separated list.

Is there an easier way? Maybe I'm missing something when it comes to UMA?

Thank you and great work on the authz module.

I hope you're not getting this email twice because I wasn't sure if I  
had to register myself first into the mailist.

Best regards,
Silva



More information about the keycloak-user mailing list