We are using keycloak for SSO Authentication in our application.Users are added in keycloak via LDAP. RBAC Requirements :
- Sharable Resources: Policies, Dashboards. Here policies and dashboards can be shared with other users with some level of permission
- Roles: Administrator,Moderator,Engineer,Operator,Project Manager All these roles have different views. Only Engineer and Moderator can see policy page and perform any action on it. Other roles cannot see these pages. Since views are static planning to control it from UI.
- Groups: Group will contain list of users who are having same roles
- Permissions: Read,Execute,Modify,Delete
- One engineer/moderator user E1 can share resource (i.e policy or dashboard) with other engineer/moderator role user E2 with read/execute/modify/delete permissions. But if engineer/moderator user E1 tries to share it with Administrator user A1, application should thorw error as Administrator cannot see this page.
- One engineer/moderator user E1 can share resource (i.e policy or dashboard) with group G1 as well.
- Let’s say E2,E3,E4 users are part of G1 group with engineer as role. E1 has created resource “policy1” and shared resource “policy1” with E2 as read permission. Now E1 is again sharing the same policy “policy1” with Group G1 with execute permission. Now if we observe here E2 is already having only read permission. In this case E2 should be assigned with execute permission on “policy1” as execute > read. Basically whichever is higher should be retained or applied.
I have following questions:
- Since we have many conditional requirements , I am not sure if I should go for keycloak to manage RBAC or should I go for designing DB tables and relationship and handle it by queries and business logic ?
- If I go with keycloak how would I be able to achieve 5th and 7th points ?