I want to create a fairly simple role-based access control system using Keycloak authorization system. The Keycloak replacement system allows us to create a “user” who is a member of one or more “groups”. In this legacy system, a user is granted “permission” to access each of about 250 “features” either through group membership (when groups are assigned permissions) or directly granting permission to the user.
I would like to map an outdated system to keyboard permissions.
It should be easy for me to map each “opportunity” in the existing system to a keycloak resource and a set of keycloak areas. For example, the “viewAccount” ability will obviously be mapped to the “account” resource and the “view” area; and "viewTransaction" is mapped to the "transaction" resource ... but is it better to create only one "view" area and use it for several resources (account, transaction, etc.)? Or do I need to create a "viewAccount" area, a "viewTransaction" area, etc.?
Similarly, I got a little confused about permissions. For each practical combination of resources and scope, is permission usually accepted? If there are several permissions corresponding to this resource / area, what does Keycloak do? I assume Keycloak’s intention is to let me customize the permissions matrix for resources and scopes, so for example, I could have permission to access “accounts” and permission for the “view” area, so I would have permission for viewing accounts?
I ask because the result of all this is that my old viewAccount ability ends up creating an Account resource, with a View pane and a viewAccount permission, which seems to bring me back to where I was. This is normal if it is correct.
Finally, obviously, I need a set of policies that determine whether viewAccount should be applied. But is it right that this means that I need a policy for each of the legacy groups that the user can belong to? For example, if I have the helpdesk role, I need a support desk policy that I could add to the viewAccount permission. Is it correct?
Thanks,
Mark
source share