Can keycloak Authorization be used in following complex RBAC requirement or go with database tables and relationships by building business logic?

We are using keycloak for SSO Authentication in our application.Users are added in keycloak via LDAP. RBAC Requirements :

  1. Sharable Resources: Policies, Dashboards. Here policies and dashboards can be shared with other users with some level of permission
  2. Roles: Administrator,Moderator,Engineer,Operator,Project Manager All these roles have different views. Only Engineer and Moderator can see policy page and perform any action on it. Other roles cannot see these pages. Since views are static planning to control it from UI.
  3. Groups: Group will contain list of users who are having same roles
  4. Permissions: Read,Execute,Modify,Delete
  5. One engineer/moderator user E1 can share resource (i.e policy or dashboard) with other engineer/moderator role user E2 with read/execute/modify/delete permissions. But if engineer/moderator user E1 tries to share it with Administrator user A1, application should thorw error as Administrator cannot see this page.
  6. One engineer/moderator user E1 can share resource (i.e policy or dashboard) with group G1 as well.
  7. Let’s say E2,E3,E4 users are part of G1 group with engineer as role. E1 has created resource “policy1” and shared resource “policy1” with E2 as read permission. Now E1 is again sharing the same policy “policy1” with Group G1 with execute permission. Now if we observe here E2 is already having only read permission. In this case E2 should be assigned with execute permission on “policy1” as execute > read. Basically whichever is higher should be retained or applied.

I have following questions:

  • Since we have many conditional requirements , I am not sure if I should go for keycloak to manage RBAC or should I go for designing DB tables and relationship and handle it by queries and business logic ?
  • If I go with keycloak how would I be able to achieve 5th and 7th points ?
2 Likes

After #2, this doesn’t sound like RBAC. The access isn’t role-based, but user or group based. I have been handling this type of requirement at the application level with user or group info pulled from the token.

Thanks for your response. But can you please elaborate it with example how you are achieving this ?
Also provide a reference link if any.
Also this requirement of access control is a combination of user,group and roles. See 5th and 7th point, here E1 is DataEngineer and Moderator roles and A1 is administrator role.