Best practice for role/permission management

Hi, I’d like to get some suggestions on how to best leverage KeyCloak within my architecture.

Our current setup is a set of Java (Springboot) Microservices. We use spring security oauth’s authorization service with a custom data model of users, roles, and permissions.

Users are assigned to roles; Permissions are assigned to roles.

Roles can be added/removed, permission membership changed without technical impact.

All APIs use @PreAuthorize to check for the existence of a specific permission.

We’re looking to use KeyCloak in a multi-tenanted structure (similar to this example: https://github.com/vimalKeshu/movie-app/tree/spring-boot-2-kc-multitenancy) – what is the best approach for managing users in roles and then applying that to individual API endpoints?

Thanks!

It depends on many factors.

  • How complex is the entire structure
  • How much time are you willing to spend
  • How many times do these roles and permissions change

You can check out https://www.keycloak.org/docs/latest/authorization_services/ for what Keycloak has to offer.
I’m only making an assumption here but because you said you are only using @PreAuthorize then Keycloak maybe a good solution to migrate to.