Fine grained resource-based authorization

We’re currently evaluating Keycloak as candidate to consolidate our authentication and authorization stack but still have some interrogations about how to design around authorization models Keycloak provides.

Right now we use ORY Keto as our authorization server which uses a set of policies similar to AWS IAM Policies. Basically it’s just a policy that defines the subjects (eg. user id), resources (eg. blog post id), action (eg. read, write, delete) & effect (allow/disallow) : https://www.ory.sh/keto/docs/engines/acp-ory

We need to be able to attribute permissions in a resource id level. For instance user A needs READ access to blog:post:123 or blog:post:1-30 (range) or even blog:post:* (all blog posts).

What would be the way to implement a similar policy with Keycloak ?
Is there a need to explicitly declare all the subjects, resources, actions (scopes?) in Keycloak ?

Thank you :slight_smile:

@rgdev how did you tackle it?