I'm developing one POC, but can't understand how protect some resource for multiple users and
accounts in Keycloak
I have two users: bob and ana.
bob has EDIT permission to access accountId: 123, 234
ana has VIEW permission to access accountId: 123, 555
(In future it can have more than 10k accounts and users)
When users access /accounts/{accountId} I need know if user have permission on {accountId} and if they can VIEW or EDIT this page.
I think create User Attribute named allowed_accounts in each user, and Roles for VIEW and EDIT, but I think this is not the correct way to do this.
Can someone help me how can I model this on KeyCloak?
One option is, each account could be modeled as a resource and then add resource attributes. Use those attributes while evaluating the permissions
like edit-users and view-users, you can get more information from the keycloak authorization documentation
Related
I have RBAC Role Base Authorization (Casbin)
i want to say some role can update user information,
and also i have other role that can update users information but he/ she can not update for example users mobile number
For example, a certain role can edit users. Now, how can we say that a role can edit users, but for example, it cannot edit the mobile field and another role can?
I don't know how to do this process, I don't know the method, if there is a way to do it, I would appreciate it.
Maybe you can suggest me a way to do this
or a reference you have already done so using
i have some kind of this question
I have a admin role on my realm and a user-admin role for my test client.
The user-admin is only allowed to view users, edit them and map roles from the test client. I also want the user-admin to create new users.
Sadly the "Add User" Button is not displayed when i log in using a user-admin.
The only way to allow the user-admin to create users is to add the manage-users role from the ream-management client as a composite.
The problem with the manage-users role is that it also allows to view and edit groups and to map every role there is including my admin realm role.
I tried using the map-role permission from the admin role itself. That did not work and it seems that the manage-users role simply overweights the permissions of the role.
I'd expect something like a create permission for the Users ressouce but can't find anything like that.
Thanks,
Maik
Let's say I'm using one realm mycomp in Keycloak to handle all users (+ master realm for Keycloak superadmin).
I'm have role of Customer Support (CS) that should be able to view users and manage their basic data like names, email, password reset etc.
I'm able to grant realm-management permissions like manage-users or view-users to any user in 3 ways:
assign directly
by creating composite role for CS
by creating group with and adding there CS
The problem is that giving manage-users rights CS end up being able to manage roles and groups so it is able to grant other users management permissions. Thats not valid for my config - it is a role of some higher level admin.
How to grant some users permissions to view and manage basic user data without allowing them to manage roles?
So in the end of the day I finally managed to find an working solution.
Problem was that Role manage-users cant be overriten by Policy.
With help of Pedro Igor Silva from Keycloak (https://issues.redhat.com/browse/KEYCLOAK-18151) I managed to setup configuration that fullfills the usecase.
With Keycloak preview feature admin_fine_grained_authz enabled I created global composite Role user-managers and granted it query-users Role from realm-management client. Then I created Policy that grants manage permission on Users resource when user has user-manager role.
That works perfectly
Hello again every one,
I have a question: I successfully implemented django-auth-ldap, the LDAP users can request successfully my DRF API. But nows, for my projetc needs, I have to define permissions depending of the group.
Indeed, I will have like 12 groups in my app. Depending of the group, I will authorize or not the user to request a given route, BUT even if I defined the global var AUTH_LDAP_MIRROR_GROUPS = True, and saw in my database the are linked to a group (see capture):
Users in database
Groups from LDAP inserted in db thx to django-auth_ldap settings
User linked to the groups defined
But now, I have some other problems: I do not know how to implement permissions depending of the group the user belong. In fact, if a user belong to the group ServerAdministrator, I want to allow him to access to every route accessible, but I dont know where to see this in the received request in my view?
As I understood, I should implement custom permissions I should write programmatically in a User object (which should inherit from django AbstractUser)
If yes, How does it work? Should I empty my whole Database and then let django-auth-ldap insert users and it also will create the given permissions defined inside the database?
Maybe it is not clear, do not hesitate to ask questions if I can be more precise.
Kind regards.
Benjamin
I am new to Keycloak and I try to use it as authentication server in my solution.
I have the following entity's model: the devices are owned by a particular company to which some users belong. User with role admin can grant permission for viewing some set of devices to a regular user but only those devices that belong to the admin's company. Thus all users except admins can view only a subset of all devices in company.
Based on these requirements, I decided to make companies as groups and devices as Keycloak's resources. To evaluate permissions, I chose rule based policy.
The question is -- Can I set group as an owner of resource to check this relation in policy?
If someone is more experienced in keycloak and knows how to better represent such model, please help.
Thank you in advance.
As working on keycloak, I didn't find any way to set the multiple owners for particular resources.
I'm having the alternate option to give the access permission, that owners have for their resources.
Let say Resource A owner is OWNER A, now there are two more user USER A and USER B. If suppose OWNER A already share the access permission to USER A and USER A wants to share Resource A to USER B on behalf of the Resource owner, then how should USER A can share the resource scopes to USER B?
Answer
Keycloak provides the facility of token exchanging or impersonation feature. With the help of this USER A can able to share the resources to USER B on behalf of the OWNER A (Owner of Resource A).
Reference: You just need to follow this Keycloak Impersonation
Add comments if you still face the problem
In Keycloak, you may represent a particular company (or any organization or organizational unit) as a realm:
https://www.keycloak.org/docs/latest/server_admin/index.html#core-concepts-and-terms
Create a new realm:
https://www.keycloak.org/docs/latest/server_admin/index.html#_create-realm
Then represent the company's users as users in the company's Keycloak realm
https://www.keycloak.org/docs/latest/server_admin/index.html#user-management
... and devices as Keycloak Clients (any kind of resource you want enforce permissions on is a Client in Keycloak model):
https://www.keycloak.org/docs/latest/server_admin/index.html#core-concepts-and-terms
An admin role is already defined by default for each role (Roles menu).
Instructions tested on Keycloak 4.0.0.
For each device, create the corresponding Client in Keycloak (Clients menu). Switch on Permissions Enabled on the Permissions tab of the new client. A list of admin console permissions will appear just below the switch button, such as the view permission.
Then, in order to assign the permission to view the device to some user, the admin should click on the view permission (link) just mentioned, create a User Policy (Create Policy... listbox) and select the users (assignees) in the Users field.
In order to assign the permission on multiple devices to the same group of people, use a Group or Role Policy instead (put the users in the same group before).
In order to assign the permission to groups of devices, use one Group/Role per group of device, then assign users to the Group/Role.