Instance level RBAC in KeyCloak - authorization

I am looking for the following answer: Has anyone tried to implement instance-level RBAC with KeyCloak?
I have the following requirement: the user can be assigned a role within the instance of the resource type. Say, you have a resource type called Group. Within that Group, the user can be Group Admin, Group Editor, Group Viewer.
But outside that Group, the user has an organization-wide role.
So, I have 2 policies here organization-wide RBAC and instance-level RBAC.
I hope, it makes sense. Any help will be greatly appreciated.

Related

Oracle apex not recognizing user roles

So I have the users in a table and I know my login system works because I use it for other workspaces. However across all the applications in this particular workspace I am having an error where users roles are not being recognized in particular I can't even get the admin page to work for me and I am a developer. If anyone has any clue on how to fix this it would be greatly appreciated.
If that first image is the default Admin pages, then wouldn't that mean you have access since you can see that page?
(which by default, if you let APEX create it for you through New Page > Features > Access Control) has Administration Rights set as the Authorization scheme
You have two places to check to find the issue:
Shared Components > Security > Authorization Scheme
Go to or Click your Administation Rights, under Authorization Scheme, you need to make sure you are using Is in Role or Group IF that is the requirement and you are to use the created roles. Make sure the role, Administrator (if default roles exist) is listed.
if validation is once per session, and you're still in the same session. log out and log back in. The problem should go away
Shared Components > Security > Application Access Control
Check under Role Assignments if your username is there.
Click Administrator under Roles, and make sure Administration Rights under Associated Authorization Schemes has the Is in Role or Group as the scheme type
If there is a different Authorization scheme (not Is in Role or Group) or you have different roles, then I would suggest post a new question with more details on your setup.

How to create a hierarchy in Cumulocity?

I have a question regarding Cumulocity. I want to create a site hierarchy in Cumulocity, we can go up to sub-tenant level only but I want to create a hierarchy up to 2 level.
Let's take an example of schools, its locations, and different branches. Here I want to attach an owner with each branch and that owner should be able to register only their own users and devices. I was trying to achieve it using groups, roles etc but was not able to do it. If anyone can suggest how to proceed for this use case.
I can see two possible options using which this can be tried:
Groups
Custom Apps (Angular apps)
But I am not sure how to proceed as there is no direct UI for the user to group assignment and REST API for this assignment is giving me errors.
You can use the inventory permissions for configuring access rights that are limited to a certain group see documentation
The managing of only your own users can be achieved by giving a user the global permission for USER_MANAGEMENT_CREATE. Make sure to revoke the ADMIN and READ role as well.
I would not recommend to solve this with apps on the UI side. That way you can of course hide information from the user but he may still be access it via API. Only with the RBAC you can really ensure on API level that the access is managed correctly.

Permission linking between LDAP users groups and Django permissions (custom if possible)

Hello again every one,
I have a question: I successfully implemented django-auth-ldap, the LDAP users can request successfully my DRF API. But nows, for my projetc needs, I have to define permissions depending of the group.
Indeed, I will have like 12 groups in my app. Depending of the group, I will authorize or not the user to request a given route, BUT even if I defined the global var AUTH_LDAP_MIRROR_GROUPS = True, and saw in my database the are linked to a group (see capture):
Users in database
Groups from LDAP inserted in db thx to django-auth_ldap settings
User linked to the groups defined
But now, I have some other problems: I do not know how to implement permissions depending of the group the user belong. In fact, if a user belong to the group ServerAdministrator, I want to allow him to access to every route accessible, but I dont know where to see this in the received request in my view?
As I understood, I should implement custom permissions I should write programmatically in a User object (which should inherit from django AbstractUser)
If yes, How does it work? Should I empty my whole Database and then let django-auth-ldap insert users and it also will create the given permissions defined inside the database?
Maybe it is not clear, do not hesitate to ask questions if I can be more precise.
Kind regards.
Benjamin

Jackrabbit permissions for multiple principals

I'm developing custom security scheme for web application based on Apache Jackrabbit. I've extended standard Jackrabbit security implementation for my needs, and so far it's working correctly. But, I'm having problems with multiple principals being assigned permissions on a node.
For example, user U is a member of group G. Groups G has no read permissions on a node, but user U has read permissions. What I mean by this is, group G has jcr:read privilege set to deny, and user U has jcr:read set to allow on a node.
Based on this, I would assume that user U would be able to read the node, even if he is a member of a group which is not allowed to read. However, the node does not show up for a user U (not expected), or for any other member of group G (expected).
Could somebody help me shed some light on this? Is my assumption correct, or does Jackrabbit calculate actual permissions differently? Or is this just an error in my security implementation?
From this article :
The list of access rights applicable for the subject is constructed from:
- the rights that you assign directly to the user account
- plus all rights assigned to any of the groups that the user belongs to
Means that, Jackrabbit take group privilege instead of user's privilege. You can read the entire article, it is good for JackRabbit secutiry.

Shiro Active Diectory with custom roles

How do I configure a Shiro to use Active Directory Authentication, but in addition I want to map the usernames to custom roles. I can't seem to find any information on this. Can anyone give me any pointers?
To do Active Directory Authentication use the JndiLdapRealm
For the authorization override the method queryForAuthorizationInfo
Be aware that you probably get group from your AD so you have to provide your own mapping (group to role).
About this shiro reference manual say :
A RolePermissionResolver can be used by a Realm internally when needing to translate a role name into a concrete set of Permission instances.
This is a particularly useful feature for supporting legacy or inflexible data sources that may have no notion of permissions.
For example, many LDAP directories store role names (or group names) but do not support association of role names to concrete permissions because they have no 'permission' concept. A Shiro-based application can use the role names stored in LDAP, but implement a RolePermissionResolver to convert the LDAP name into a set of explicit permissions to perform preferred explicit access control. The permission associations would be stored in
another data store, probably a local database.
Hope this will help
I'm working on doing the same thing, but I'm pretty sure you have to write a custom AuthenticationStrategy. I wanted to authenticate against AD but use the INI to define roles, but I could not get it to behave properly enough to not accept authentication against either (even utilizing FirstSuccessfulStrategy). I didn't get to look into it too much, so maybe one of the Shiro guys who floats around can correct this, but i hit these issues today.