URI pattern / Javascript policy question

Securing applications
1

Hello,
I am new to KC and trying to play with authorisation using the analogy of a law firm with lawyers and clerks.

→ Lawyers and Clerks are assigned to specific cases.
→ Lawyers can perform write actions on the case
→ Clerks can only read from cases
→ A case will have child resource

Sample URIs:
/cases/{caseId}/notes/{noteId}
/cases/{caseId}/documents/{documentId}

My idea:

Create a group for each case and assign users to the group. The group will have a naming convention “CaseGroup:{caseId}”

Create 2 roles, lawyers, clerks and assign users to those roles

So I want to create 2 policies:

Java Script policy to do the following:

  1. Extract the caseId out of the requested resource URI ("/cases/1/notes")
  2. Calculate the group name (“CaseGroup:1”)
  3. Verify user is a member of “CaseGroup:1”)

Role Policy
If user’s role is lawyer able to write
If user’s role in clerk able to read

Creating the Role policy is easy but how do I create the Javascript policy?

Any ideas?

2

Might be a little late here, but …

I think you could push in the users ‘groups’ as claims to the policy via the Claim Info Point feature, and you could then match whether the user had a claim that matched the calculated group.

https://www.keycloak.org/docs/latest/authorization_services/#_enforcer_claim_information_point

Id be wary of using groups as a mechanism to do this unless you have a good way of managing the groups access. the user would most likely need to be in the group prior to authentication.

If there is not a robust way of assigning groups - you can just push in arbitrary claims and grant or deny based on these.