Hi everyone,
I would appreciate your input into whether and how we can use Keycloak to address an enterprise authorization use case. Below is an overview of the business problem we are seeking to solve:
-
Our application will have a CRUD permissions model.
-
Users who are not a manager should only be able to see their documents.
-
Users who are a manager should be able to see others’ documents. The extent of the others’ documents they should be able to see depends on where the group they are associated with is in the corporate hierarchy. The CEO and other select members of the executive staff should be able to see all documents from all divisions and departments throughout the organization. A division president should be able to see the documents associated only with users in the president’s division. A departmental manager should only be able to see the documents associated with users in his or her department.
Since Keycloak does not have an organization hierarchy per se, we are planning to use embedded groups to represent the hierarchy.
We would define the Document class as a resource and we would also define object instances of the Document class as a resource. Individual users would be owners of the document instances. This part seems relatively straightforward. What I am not sure about is how to extend manager access to the appropriate groups based on the manager’s location within the corporate hierarchy (i.e. embedded groups). I would greatly appreciate your advice on how to accomplish this point and on any other matters related to this use case that you think will be relevant and helpful.
Thank you in advance for your feedback.
All my best,
Steve