we allready have a running keycloak system that uses an openid-connect client to secure the frontend app and an openid-connect client to secure the backend app.
The clients are configured like that:
We have created resources and scopes to predefine what access rights are required to access the backend functions (and request data with this functions).
Also we created policies and permissions to as let the user decide, what user groups will have which permissions and assign the user groups finally to the user.
All is running fine but now we have to rework this:
Currently we have a fixed system that has hard coded resources and scopes - only the assignment of access rights to users is flexible.
Now we need to allow the user to configure dynamically hiding parts of certain datasets to specific users or user groups!
User A selects salary or private phone number of all employee datasets and defines, that they must only be visible to User B and C and user group X.
Also a whole datasets (not just parts of it) like a set of documents that are assigned to a logical group must only be visible to User A and C and user group X.
Is this possible to configure and implement with keycloak somehow - any advice on the approach?
Maybe using ‘resource attributes’ can be a way to create some sort of filtering to extract the fields out of the network response that the current user aint allowed to see…
Any advice of who had done something like this before?