Reputation: 68
keycloak - give users different permissions per tenant / account
We are using Keycloak for a SaaS offering. Each user is part of a tenant / account and has specific roles for accessing this account's data. The roles are configured in Keycloak and the related account is saved as a user attribute on the user.
Now we've got a new requirement to give users access to multiple accounts. And for each of these accounts the user might have different roles:
User A:
- Account A:
- ADMIN
- Account B:
- Reader
User B
- Account B:
- Reader
...
I found a lot of articles about different approaches to multi tenancy, but nothing in this direction. Most of the articles combined roles and groups. But in my case I would need to create a new group for every account. So I would end up with thousands or millions of groups.
Right now my APIs can authorize requests based on the issued JWT. Ideally I can keep this.
What's the best way to get this structure (users having access to multiple accounts with different roles) into place? Is this actually possible with keycloak?
Or am I thinking into the wrong direction? It sounds like a rather common use case.
Thanks a lot already.
Upvotes: 5
Views: 2232
Answers (1)
Reputation: 51443
The roles are configured in Keycloak and the related account is saved as > a user attribute on the user.
I am not sure why you need this, since you can extrapolate that based on the user role.
Now we've got a new requirement to give users access to multiple accounts. And for each of these accounts the user might have different roles:
If I fully understood your problem I think it can be solved with Client Level roles. For instance:
Go to :
- Your Realm;
- Clients;
- Account A;
- Roles;
- Add Role;
- Set the role and save it
To set the role to the user go to
- Your Realm;
- Users;
- Click on the user;
- Role Mapping;
- From the Client Roles dropdown select the client (e.g., Account A)
- Add the Role;
Right now my APIs can authorize requests based on the issued JWT. Ideally I can keep this.
How a token request to the Account A on behalf of user a would look like:
"acr": "1",
"realm_access": {
"roles": [
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"AccountA": {
"roles": [
"ADMIN"
]
},
"AccountB": {
"roles": [
"Reader"
]
},
"account": {
"roles": [
"manage-account",
"view-profile"
]
}
},
One might say that when requesting a token from client Account A one does not really care about the roles in the client Account B. That can be solved by using Keycloak's Scope Feature. With this feature one can select the roles from other clients that are relevant to the current client. By default, all roles are included. Nonetheless, to filter the roles one needs to go:
- Your Realm;
- Clients;
- Client Account A in this case;
- Scope;
- Switch to
OFFthe optionFull Scope Allowed; - Save.
How the token looks like now:
"resource_access": {
"AccountA": {
"roles": [
"ADMIN"
]
}
},
Upvotes: 3
Related Questions
- How to grant some users partial user management rights in Keycloak?
- How can i create user with multiple Client roles in a single API
- Keycloak impersonation only for certain users
- Setting permissions in Keycloak
- How can we assign a permission to all users in Keycloak Authorization Services policies?
- Keycloak Authorization Services for dozens of resources which belong to dozens of users
- Managing user permissions in keycloak and spring rest api
- KeyCloak restricting user management to certain groups while enabling 'manage-users'
- Keycloak - Resource based Role
- Keycloak - Limit users access per client/application