Reputation: 5606
Complex roles and permissions model on nested group structure in Keycloak
I have an application where all user permissions and roles are handled in a database (homemade permission model), but since user authentication now needs to be moved to Keycloak I am looking into if these permission model can be supported by roles and authorization in Keycloak also.
The object model in the application is a nested tree structure with three types of objects (picture provided for details)
There are a number of Grouping Objects, under each of them there are a number of Main Objects and under each of these there can be a hierarchy tree of Tree Objects. Each object at any level can be assigned roles (different for each object type), such as Owner, Contributor, Reader and on each object type there are a number of different types of permissions (also different for each object type), such as Create child object, Add users etc.
Currently my thoughts are to create the structure as groups in Keycloak and put users in the groups when they are allowed access to it, but I am stuck in figuring out if I can handle the different roles and permissions individually for each user when they are assigned to a group - and if the complexity is too high when i need to sync the tree structure as the objects still needs to exists in my database also. Note, there can be 500k of objects.
Currently some roles also overwrite permissions in the subtree, such that if you is an Owner of a Grouping Object you are allowed all no matter if there for some reason is a more strict permissions in a sub object.
Any advice or resource reference are much appreciate, thanks.
Upvotes: 0
Views: 2872
Answers (1)
Reputation: 1912
I don't think what you are trying to achive here, is possible with Keycloak out of the box. Keep in mind that roles are related to the realm or individual clients. When you assign a (realm/client) role R to a group G and add a user U to that group G, the user U will be assigned that role R for the corresponding realm/client and not for the group.
If your grouping/main/tree objects are business objects (or data) within your app, keep them there. Let Keycloak handle authentication, authorization enforcement should be responsibility of your app.
Upvotes: 2
Related Questions
- Keycloak - user attributes that are specific to groups
- Map groups to roles in Keycloak when using OIDC
- Keycloak - Resource based Role & scope base auth
- Keycloak Authorization - best practice roles vs groups
- Include groups (along with roles) in Keycloak token?
- Keycloak User Role Mapping and Pemissions
- Setup of role model with two layers in keycloak
- How to retrieve a user (with a specific user role) from a known group in keycloak
- KeyCloak REST API: how to map a Role with a Group
- Assign Roles programmatically to Groups with Keycloak API