Reputation: 865
How to avoid adding user to all groups with a resource
New to using Keycloak and I am trying to understand assigning of roles to users. This is the format I use. I create roles and users and create groups with certain roles. I then assign users to groups to have the permissions based on roles in the group. Now I have difficulty in the following case.
Lets say I have 4 resources A, B, C, D, 2 roles R1, R2, 2 groups G1, G2 and a user U.
R1 have permissions (i use these authorization scopes: read, write, create, delete) to access A, B.
R2 have permissions to access only to A, B, C, D resources.
G1 has role R1 and G2 has role R2 assigned to them.
Now I create a user U and want to give him access to G1 hoping this user will have access to 2 mentioned resources. But that is not the case and I notice U is not given access to any of the 4 resources. I will need to add this user to G2 as well to get access to all 4 resources which is not what I wanted.
Also in another case, if I want to add user to G2, I expect him to have access to all 4 resources. But I notice that this user can only access C, D. And I should add him to G1 as well to get access to all the resources.
I believe keycloak checks with an and condition fashion in assigning permissions. Is there a way to define roles with resources exclusive to each other?
Upvotes: 0
Views: 605
Answers (1)
Reputation: 11659
From my experience of using Keycloak and in absence of your complete configuration in question, I would recommend to bring permissions into picture.
https://www.keycloak.org/docs/latest/authorization_services/#_permission_overview
NOTE: Please note that this is just a PERSONAL recommendation, not a hard-fast approach.
When you use permission, you can set the decision strategy to be affirmative. (It seems in your case default permission is set to Unanimous which means all policies must evaluate to true)
(https://www.keycloak.org/docs/latest/authorization_services/#_permission_decision_strategies)
The way I would approach this is:
Assign roles to groups (same as what you did) G1 -> R1 G2 -> R2
Add users to groups (same as what you did)
Create a role based policy for R1(Policy1) and R2(Policy2).
Create permission for each resource (PermA, PermB, PermC, PermD)
Associate permission with required role policy
(taking your example)
Since R2 has access to all resources. Associate Policy2 with all 4 permsions.
Since R1 has access to A,B resources. Associate Policy1 with only PermA, PermB.
Keeping the decision strategy as Affirmative.
Upvotes: 1
Related Questions
- How to add Keycloak realm role to group via REST API
- Keycloak - user attributes that are specific to groups
- How to add Keycloak client-role to group via REST API
- Include groups (along with roles) in Keycloak token?
- KeyCloak restricting user management to certain groups while enabling 'manage-users'
- How to assign specific role to a user for a group in keycloak
- Keycloack share resource with Group of user
- Limit available groups for specific user in keycloak
- KeyCloak REST API: how to map a Role with a Group
- Assign Roles programmatically to Groups with Keycloak API