Java Policy and resource scope evaluation

Hi, I need help for authorization use case.

What I would like :
I have some resources(~200) named Schema, I have some actions (view, manage). And I would like give the permission of performing an action on some resource to some users. And get all permissions for a specific user.

What I had done :
I created my scopes View, Manage.
For each schema in my backend, a resource is created with type=schema and a “my-id” attribute holding the schema id. Every resource gets associated with the scopes (view, manage).
Example : Resource Schema A - type Schema - id: 42

I created my roles, according to what I want to grant, in the way of a profile :

  • id of my back-end schema
  • scopes granted by this role
    Example : View resource A - id : 42 - scopes : view

I created a java policy (SPI) which check if my user owns a role which allows the requested scope on the requested resource.

I created one permission per scope (type scope), with the resource type Schema. I applied my java policy.

If I request Resource A with scope view, it works fine ! GREAT :smiley:

The problem :
If I request all permissions, in the evaluate method of the policy :

  • the evaluation gives me all scopes associated with the current resource.
  • if I grant the evaluation, all scopes are granted
  • if I deny the evaluation, all scopes are denied.

I would have expect that the evaluate method be executed once for each scope (as it is done for the resources)

Did I misunderstand something in the operation of the authorization?
I feel like I miss something. And do something very complicated for a simple trick.

Thanks for your help ! :smiley:

You might try to create 2 permissions with different list of scopes. Create 2 different user based policies and associate each to those 2 permissions. Note, that what I noticed that user based policy must have at least one user (at least on in UI) and fails to save in case I remove the last user.
I had to achieve similar to what you asked, but I’m a neibee in keycloak