0

New to using Keycloak and I am trying to understand assigning of roles to users. This is the format I use. I create roles and users and create groups with certain roles. I then assign users to groups to have the permissions based on roles in the group. Now I have difficulty in the following case.

Lets say I have 4 resources A, B, C, D, 2 roles R1, R2, 2 groups G1, G2 and a user U.

R1 have permissions (i use these authorization scopes: read, write, create, delete) to access A, B.
R2 have permissions to access only to A, B, C, D resources.
G1 has role R1 and G2 has role R2 assigned to them.

Now I create a user U and want to give him access to G1 hoping this user will have access to 2 mentioned resources. But that is not the case and I notice U is not given access to any of the 4 resources. I will need to add this user to G2 as well to get access to all 4 resources which is not what I wanted.

Also in another case, if I want to add user to G2, I expect him to have access to all 4 resources. But I notice that this user can only access C, D. And I should add him to G1 as well to get access to all the resources.

I believe keycloak checks with an and condition fashion in assigning permissions. Is there a way to define roles with resources exclusive to each other?

vinayawsm
  • 845
  • 9
  • 28

1 Answers1

1

From my experience of using Keycloak and in absence of your complete configuration in question, I would recommend to bring permissions into picture.

https://www.keycloak.org/docs/latest/authorization_services/#_permission_overview

NOTE: Please note that this is just a PERSONAL recommendation, not a hard-fast approach.

When you use permission, you can set the decision strategy to be affirmative. (It seems in your case default permission is set to Unanimous which means all policies must evaluate to true)

(https://www.keycloak.org/docs/latest/authorization_services/#_permission_decision_strategies)

The way I would approach this is:

  1. Assign roles to groups (same as what you did) G1 -> R1 G2 -> R2

  2. Add users to groups (same as what you did)

  3. Create a role based policy for R1(Policy1) and R2(Policy2).

  4. Create permission for each resource (PermA, PermB, PermC, PermD)

  5. Associate permission with required role policy

(taking your example)

Since R2 has access to all resources. Associate Policy2 with all 4 permsions.

Since R1 has access to A,B resources. Associate Policy1 with only PermA, PermB.

Keeping the decision strategy as Affirmative.

tryingToLearn
  • 10,691
  • 12
  • 80
  • 114