Hello,
I’m new to Keycloak and after successfully experimenting authentication, I’m experimenting resource permission management. By doing so, I see several ways to do what I want but I’m not convinced by any of them.
Let’s say I have a resource “Potato” in my backend. I want to assign some permissions on some users/groups to read potatoes and others to read/write potatoes (simple CRUD).
After experimenting on a dev Keycloak instance and reading on Keycloak documentation, I still hesitate on how to manage my resources permissions using the notions of Groups, Roles, Resources, Policies and Permissions.
The best way I found to manage my resources is:
- Create a policy for each user/group
- Create a Resource
potato/<id>for each potato - Create a role
read-potato/<id>and a rolewrite-potato/<id>for each id - Create a permission per user or group having read access to the resource on resource
read-potato/<id>using the policies created on first step, and same thing forread-potato/<id>.
However it seems quite strange to me to have 2 resources in Keycloak for a single “real” resource, and more strange even to carry permission info (read/write) in the resource name. It even adds a third one if I want to add a specific “delete” permission.
Moreover I’m a bit concerned about performance when listing potatoes for a user in terms of delay, volume of data returned, etc.
Is there a more natural and faster pattern including read/write notions somewhere else than in resource name?