libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions
keycloak-scim/topics/policy/drools-policy.adoc

91 lines
2.8 KiB
Text
Raw Normal View History

More doc
2016-06-05 22:17:31 +00:00
== Drools-Based Policy
Fixing typos
2016-06-08 12:32:31 +00:00
This type of policy allows you to define conditions for your permissions using Drools. It is one of the _Rule-Based_ policy types
Minor fixes and updates
2016-06-29 22:51:16 +00:00
supported by {{book.project.name}}, providing a lot of flexibility to write any policy based on the link:evaluation-api.adoc[Evaluation API].
More doc
2016-06-05 22:17:31 +00:00
More screenshots. Reviewing getting started tutorials.
2016-06-14 23:50:50 +00:00
To create a new policy select the option *Drools* in the dropdown located in the right upper corner of the permission listing.
.Add Drools Policy
image:../../images/policy/create-drools.png[alt="Add Drools Policy"]
More doc
2016-06-05 22:17:31 +00:00
=== Configuration
* *Name*
+
A human-readable and unique string describing the policy. We strongly suggest you to use names that are closely related with your business and security requirements, so you
can identify them more easily and also know what they actually mean
+
* *Description*
+
A string with more details about this policy
+
* *Policy Maven Artifact*
+
A Maven GAV pointing to an artifact from where the rules would be loaded from. Once you have provided the GAV, you can click *Resolve* to load both *Module* and *Session* fields
+
** Group Id
+
The groupId of the artifact
+
** Artifact Id
+
The artifactId of the artifact
+
** Version
+
The version of the artifact
+
* *Module*
+
The module used by this policy. You must provide a module in order to select a specific session from where rules will be loaded from
+
* *Session*
+
The session used by this policy. The session provides all the rules to evaluate when processing the policy
+
* *Update Period*
+
Specifies an interval for scanning for artifact updates
+
* *Logic*
+
More screenshots. Reviewing getting started tutorials.
2016-06-14 23:50:50 +00:00
The link:logic.html[logic] of this policy
More doc
2016-06-05 22:17:31 +00:00
=== Examples
Here is a simple example of a Drools-Based policy that uses Attribute-Based Access Control (ABAC) to define a condition that evaluates to a GRANT
only if the authenticated user is the owner of the requested resource:
```javascript
import org.keycloak.authorization.policy.evaluation.Evaluation;
rule "Authorize Resource Owner"
dialect "mvel"
when
$evaluation : Evaluation(
$identity: context.identity,
$permission: permission,
$permission.resource != null && $permission.resource.owner.equals($identity.id)
)
then
$evaluation.grant();
end
```
You can even use another variant of ABAC to obtain attributes from the identity and define a condition accordingly:
```javascript
import org.keycloak.authorization.policy.evaluation.Evaluation;
rule "Authorize Using Identity Information"
dialect "mvel"
when
$evaluation : Evaluation(
$identity: context.identity,
identity.attributes.containsValue("someAttribute", "you_can_access")
)
then
$evaluation.grant();
end
```
For more details about what you can access from this interface, please take a look at link::/policy/evaluation-api.adoc[Evaluation API].
Reference in a new issue Copy permalink