Hi, I need help for authorization use case.
What I would like :
I have some resources(~200) named Schema, I have some actions (view, manage). And I would like give the permission of performing an action on some resource to some users. And get all permissions for a specific user.
What I had done :
I created my scopes View, Manage.
For each schema in my backend, a resource is created with type=schema and a “my-id” attribute holding the schema id. Every resource gets associated with the scopes (view, manage).
Example : Resource Schema A - type Schema - id: 42
I created my roles, according to what I want to grant, in the way of a profile :
- id of my back-end schema
- scopes granted by this role
Example : View resource A - id : 42 - scopes : view
I created a java policy (SPI) which check if my user owns a role which allows the requested scope on the requested resource.
I created one permission per scope (type scope), with the resource type Schema. I applied my java policy.
If I request Resource A with scope view, it works fine ! GREAT
The problem :
If I request all permissions, in the evaluate method of the policy :
- the evaluation gives me all scopes associated with the current resource.
- if I grant the evaluation, all scopes are granted
- if I deny the evaluation, all scopes are denied.
I would have expect that the evaluate method be executed once for each scope (as it is done for the resources)
Did I misunderstand something in the operation of the authorization?
I feel like I miss something. And do something very complicated for a simple trick.
Thanks for your help !