Authz Design Advice for a File and Folder Management System

Hello dear Keycloak’s gurus,

I’m starting a new project and I wanted to use keycloak as authn and authz backend and I have a few questions about best practices for authz structures and usages.

My use-case:
I want to design a storage system where users can create folders and upload files. There is different operations on each objects types:
folder:

  • view: view the folder in the hierarchy when listing
  • list: being able to list folder’s content
  • upload: being able to upload new files
  • share: being able to share

file:

  • view: view the folder in the hierarchy when listing folder
  • read: being able to view file’s content
  • rename: being able to rename the file

After some doc surfing/reading I’ve a rough idea of how to implement it be I’m not sure it’s the best way and I would like to get some inputs from you.

Solution I have in mind:
First, enable uma_protection for everyone so everyone can create resources. Then create one scope per actions for each object type.
Then while creating the resource, create some defaults policies (using uma-policy endpoints):

  • {resource_id}.owner: no scopes listed to have everything available
  • {resource_id}.team: view, list/read

  • so when users want to change assign a role to someone I can update the policy to add the new user_id.

The main issue I have with that is that it can create a lot of policies, not specifically scale-able if we need to add a new actions for a specific roles on all folders/files (potentially thousands of updates while migrating).

Users don’t have any UI to add new roles so roles are fixed in the system.

My first POC is working quite well but I’m not really satisfied by the «ad-hoc» solution attached to each resources.

Side question but more on the architecture of the system: as far as I understood, there is no endpoint to list resources with grants? the resource_set lists all the resources for everyone and for each one I need to evaluate policies to check if the user have access to it. Do I need to maintain some sort of read model/cache for it? or is there a feature I missed in APIs’ documentations?

Thank you very much for your time and future feedback :slight_smile: