Proper read/write permission management


I’m new to Keycloak and after successfully experimenting authentication, I’m experimenting resource permission management. By doing so, I see several ways to do what I want but I’m not convinced by any of them.

Let’s say I have a resource “Potato” in my backend. I want to assign some permissions on some users/groups to read potatoes and others to read/write potatoes (simple CRUD).

After experimenting on a dev Keycloak instance and reading on Keycloak documentation, I still hesitate on how to manage my resources permissions using the notions of Groups, Roles, Resources, Policies and Permissions.

The best way I found to manage my resources is:

  • Create a policy for each user/group
  • Create a Resource potato/<id> for each potato
  • Create a role read-potato/<id> and a role write-potato/<id> for each id
  • Create a permission per user or group having read access to the resource on resource read-potato/<id> using the policies created on first step, and same thing for read-potato/<id> .

However it seems quite strange to me to have 2 resources in Keycloak for a single “real” resource, and more strange even to carry permission info (read/write) in the resource name. It even adds a third one if I want to add a specific “delete” permission.

Moreover I’m a bit concerned about performance when listing potatoes for a user in terms of delay, volume of data returned, etc.

Is there a more natural and faster pattern including read/write notions somewhere else than in resource name?