1

My resources are events. Each event should be assigned to users with roles (Admin, Manager, Guest). There should always be the same roles available.

Examples:

  • User1 can access on event1 as Admin
  • User2 can access on event1 as Manager
  • User3 is admin on event2 but can't see event1

Now to the actual question:

How can you map this in Keycloak with Policy, Permission and role? Honestly, I have not found a good definition for scopes, maybe someone has a good example of their use.

max
  • 571
  • 7
  • 19
  • hi, did you find a way to implement this? I have the exact same use case. The only way I find to implement this is to create two roles ("E1 Admin", "E1 Manager") and then create two policies for the event: "E1 Admin Policy" which will require the "E1 Admin" role and the "E1 Manager Policy" which will require the "E1 Manager Role". Then I would add scope ```event:edit```. With all this in place, I would then add a permission linking this scope with any of the policies defined before. The problem I see: I would need to create all this for every single event I create in the application. – aalbagarcia Apr 17 '19 at 10:42
  • I kept on looking and what I suggested in the previous comment might be the way to go with this: http://lists.jboss.org/pipermail/keycloak-user/2016-August/007309.html – aalbagarcia Apr 17 '19 at 11:05

2 Answers2

4
  1. Create roles Admin and Manager
  2. Create users(User1 and User2) then assign these users to the roles
  3. Create role based policies by selecting the necessary roles
  4. Create permissions by associating created resources and policies

According to Keycloak documentation Scope A resource’s scope is a bounded extent of access that is possible to perform on a resource. In authorization policy terminology, a scope is one of the potentially many verbs that can logically apply to a resource. It usually indicates what can be done with a given resource. Example of scopes are view, edit, delete, and so on. However, scope can also be related to specific information provided by a resource. In this case, you can have a project resource and a cost scope, where the cost scope is used to define specific policies and permissions for users to access a project’s cost.

You can create scopes and those scopes can be associated with a resource. Also you can create scope based permissions.

Santhoopa Jayawardhana
  • 1,048
  • 7
  • 18
  • if you can also please help : https://stackoverflow.com/questions/66660297/keycloak-resource-based-role-scope-base-auth – chagan Mar 16 '21 at 17:27
1

With Keycloak Authorization, events (event1 and event2) should be your resources.

Admin, Manager, Guest should be your roles

Then you need to create policies under Authorization to grant access to Users/roles accordingly

Scope usually indicates what can be done with a given resource. Example of scopes are view, edit, delete, and so on.

You can refer for more information from here

ravthiru
  • 8,878
  • 2
  • 43
  • 52
  • if you can please help : https://stackoverflow.com/questions/66660297/keycloak-resource-based-role-scope-base-auth – chagan Mar 16 '21 at 17:27
  • if you can please help : https://stackoverflow.com/questions/54259442/keycloak-resource-based-role – chagan Mar 17 '21 at 17:59