I am a little confused in my about permissions, in my dev environment I have a setup the following permission groups:
GroupOwners (Full controls).
GroupMembers (Contribute, Approve).
GroupVisitors (Read).
I have the following site collections:
SampleBlog/
With the following sites: SampleBlog/News/Contacts/Marketing/Finance/Property
I want to give design permissions to three users only for the following sites:
User1 has design permissions only for SampleBlog/Contacts.
User2 has design permissions only for SampleBlog.Marketing.
User3 has design permissions only for SampleBlog/Finance.
The above users should be visitors for the rest of the sites.
How do I achieve this. Any suggestion will be greatly appreciated?
Thanks in advance
First, you have to remove permissions inheritance on site :
SampleBlog/Contacts
SampleBlog/Marketing
SampleBlog/Finance
then set permissions on each site like :
Site SampleBlog/Contacts
design permissions for User1
Visitor User2,User3
Site SampleBlog/Marketing
design permissions for User2
Visitor User1,User3
Site SampleBlog/Finance
design permissions for User3
Visitor User1,User2
Regards
Related
Let's say I'm using one realm mycomp in Keycloak to handle all users (+ master realm for Keycloak superadmin).
I'm have role of Customer Support (CS) that should be able to view users and manage their basic data like names, email, password reset etc.
I'm able to grant realm-management permissions like manage-users or view-users to any user in 3 ways:
assign directly
by creating composite role for CS
by creating group with and adding there CS
The problem is that giving manage-users rights CS end up being able to manage roles and groups so it is able to grant other users management permissions. Thats not valid for my config - it is a role of some higher level admin.
How to grant some users permissions to view and manage basic user data without allowing them to manage roles?
So in the end of the day I finally managed to find an working solution.
Problem was that Role manage-users cant be overriten by Policy.
With help of Pedro Igor Silva from Keycloak (https://issues.redhat.com/browse/KEYCLOAK-18151) I managed to setup configuration that fullfills the usecase.
With Keycloak preview feature admin_fine_grained_authz enabled I created global composite Role user-managers and granted it query-users Role from realm-management client. Then I created Policy that grants manage permission on Users resource when user has user-manager role.
That works perfectly
net core application. I am trying to implement authentication and authorization. I have users they are split into multiple regions. For example I have below regions.
GE GSAS
- user1
- user2
APAC
-user3
-user4
SE&A
-user5
-user6
These users have different permissions or roles. For example, RegionalAdmin,GlobalAdmin,Users etc
These users will be creating some orders in the portal. For example, Regional head can reassign orders within that region only to other users. For global head he/she can reassign orders to anyone. Users can create orders and view delete and users cannot reassign orders. All these users are part of Azure AD tenant. Now I am trying to implement authentication and authorization. I started thinking the design strategy like this, I can create groups as per regions and add users to groups. Based on the groups I can have authentication or authorization. But these users have different permissions like RegionalAdmin,GlobalAdmin etc and these users have some extra functionalities aloowed in web/api permission. Can someone help me regarding this and how to organize groups or roles with respect to above scenario. Any help owuld be greatly appreciated. Thank you
Assuming regional admin you mentioned as a custom role in your application(as there is no such role in AAD), it is always better to use the administrative-units and a suggestable approach would be to create groups separately for regional admin, global admin users and assign roles to these groups accordingly.
A user can be assigned to multiple groups and roles can be assigned to individual users/groups.
Authorize applications based on the role permissions granted by the administrator to groups. Please refer this link for the detailed documentation on how to create/manage roles for an application in Azure AD.
I'm developing one POC, but can't understand how protect some resource for multiple users and
accounts in Keycloak
I have two users: bob and ana.
bob has EDIT permission to access accountId: 123, 234
ana has VIEW permission to access accountId: 123, 555
(In future it can have more than 10k accounts and users)
When users access /accounts/{accountId} I need know if user have permission on {accountId} and if they can VIEW or EDIT this page.
I think create User Attribute named allowed_accounts in each user, and Roles for VIEW and EDIT, but I think this is not the correct way to do this.
Can someone help me how can I model this on KeyCloak?
One option is, each account could be modeled as a resource and then add resource attributes. Use those attributes while evaluating the permissions
like edit-users and view-users, you can get more information from the keycloak authorization documentation
I am new to Keycloak and I try to use it as authentication server in my solution.
I have the following entity's model: the devices are owned by a particular company to which some users belong. User with role admin can grant permission for viewing some set of devices to a regular user but only those devices that belong to the admin's company. Thus all users except admins can view only a subset of all devices in company.
Based on these requirements, I decided to make companies as groups and devices as Keycloak's resources. To evaluate permissions, I chose rule based policy.
The question is -- Can I set group as an owner of resource to check this relation in policy?
If someone is more experienced in keycloak and knows how to better represent such model, please help.
Thank you in advance.
As working on keycloak, I didn't find any way to set the multiple owners for particular resources.
I'm having the alternate option to give the access permission, that owners have for their resources.
Let say Resource A owner is OWNER A, now there are two more user USER A and USER B. If suppose OWNER A already share the access permission to USER A and USER A wants to share Resource A to USER B on behalf of the Resource owner, then how should USER A can share the resource scopes to USER B?
Answer
Keycloak provides the facility of token exchanging or impersonation feature. With the help of this USER A can able to share the resources to USER B on behalf of the OWNER A (Owner of Resource A).
Reference: You just need to follow this Keycloak Impersonation
Add comments if you still face the problem
In Keycloak, you may represent a particular company (or any organization or organizational unit) as a realm:
https://www.keycloak.org/docs/latest/server_admin/index.html#core-concepts-and-terms
Create a new realm:
https://www.keycloak.org/docs/latest/server_admin/index.html#_create-realm
Then represent the company's users as users in the company's Keycloak realm
https://www.keycloak.org/docs/latest/server_admin/index.html#user-management
... and devices as Keycloak Clients (any kind of resource you want enforce permissions on is a Client in Keycloak model):
https://www.keycloak.org/docs/latest/server_admin/index.html#core-concepts-and-terms
An admin role is already defined by default for each role (Roles menu).
Instructions tested on Keycloak 4.0.0.
For each device, create the corresponding Client in Keycloak (Clients menu). Switch on Permissions Enabled on the Permissions tab of the new client. A list of admin console permissions will appear just below the switch button, such as the view permission.
Then, in order to assign the permission to view the device to some user, the admin should click on the view permission (link) just mentioned, create a User Policy (Create Policy... listbox) and select the users (assignees) in the Users field.
In order to assign the permission on multiple devices to the same group of people, use a Group or Role Policy instead (put the users in the same group before).
In order to assign the permission to groups of devices, use one Group/Role per group of device, then assign users to the Group/Role.
i am a newbie in the Symfony framework and I have to create a web application. The problem I have is the autorization of defined actions in the code.
I load my users out of a database with some roles (many-to-many). In the security.yml I work with ACLs for the different routes. But now my teacher told me, that I should implement specific rights to roles. That means, that I have some roles with rights (many-to-many), so I can create new roles with simply adding the some rights.
An example might be "editing users" in the database. So I can specify granually the rights "editing", "persisting" and so on.
How can I implement this in my Controllers/Twig-Templates? In Twig I work with the isGranted()-function, there I can only check roles?
Thanks for your help :-)