Incorrect evaluation results with Keycloak Authorization

Getting advice
,
1

Hi,

I have a requirement to implement authorization using keycloak (Combination of Resource/Role/User/Group based Access Control). To begin with I’m testing a simple scenario, where I have created a User “XYZ” with “Operator” as his Role. I’m trying to test if this user XYZ has modify/execute permissions on resource “ABC”. Surprisingly the evaluation results are not as expected. Please find the details of my project below,

  1. Backend: Java with Quarkus framework
  2. Frontend: Angular
  3. Keycloak Version: 16.1.1
  4. We have created the Realm and client in the keycloak
  5. Authentication: SSO is implemented using Keycloak – working fine
  6. Authorization: Currently we only have 1 Resource, 1 policy and 1 Permission created under the Client.
    Scopes: Read, modify and execute
    Roles: Administrator, Data Engineer, Project Manager, Moderator, Operator, User

I would appreciate it if you could let me know what is not right in the above scenario and if the Keycloak evaluation results are correct. Also let me know if my understanding of the above is correct.

Thanking you in advance and hoping to get a response soon.

Resource:

image.png

2

Scopes:
image.png

3

User with Operator as Role:
image.png

4

Policy:
image.png

5

Permission:
image.png

6

Evaluation Scenario:
image.png

7

Evaluation Result:
image.png

Expected Result:

Although the overall result is “Deny”.
The Operator-Flow-Policy should have been denied/voted to deny as the granted permission is only on read and we are testing if the User (Operator) is having permission to modify/execute on the resource “flow1”