keycloak-scim/topics/policy/drools-policy.adoc

== Drools-Based Policy

This type of policy allows you to define conditions for your permissions using http://www.drools.org[Drools], which is a rule evaluation environment. It is one of the _Rule-Based_ policy types
supported by {{book.project.name}}, and provides flexibility to write any policy based on the link:evaluation-api.adoc[Evaluation API].

To create a new Drools-based policy, select the option *Drools* in the dropdown located in the right upper corner of the permission listing.

.Add Drools Policy
image:../../images/policy/create-drools.png[alt="Add Drools Policy"]

=== Configuration

* *Name*
+
A human-readable and unique string describing the policy. We strongly suggest that you use names that are closely related with your business and security requirements, so you
can identify them more easily and also know what they actually mean.
+
* *Description*
+
A string with more details about this policy.
+
* *Policy Maven Artifact*
+
A Maven groupId-artifactId-version (GAV) pointing to an artifact where the rules are defined. Once you have provided the GAV, you can click *Resolve* to load both *Module* and *Session* fields.
+
** Group Id
+
The groupId of the artifact.
+
** Artifact Id
+
The artifactId of the artifact.
+
** Version
+
The version of the artifact.
+
* *Module*
+
The module used by this policy. You must provide a module in order to select a specific session from where rules will be loaded from.
+
* *Session*
+
The session used by this policy. The session provides all the rules to evaluate when processing the policy.
+
* *Update Period*
+
Specifies an interval for scanning for artifact updates.
+
* *Logic*
+
The link:logic.html[Logic] of this policy to apply after the other conditions have been evaluated.

=== Examples

Here is a simple example of a Drools-Based policy that uses Attribute-Based Access Control (ABAC) to define a condition that evaluates to a GRANT
only if the authenticated user is the owner of the requested resource:

```javascript
import org.keycloak.authorization.policy.evaluation.Evaluation;
rule "Authorize Resource Owner"
    dialect "mvel"
    when
       $evaluation : Evaluation(
           $identity: context.identity,
           $permission: permission,
           $permission.resource != null && $permission.resource.owner.equals($identity.id)
       )
    then
        $evaluation.grant();
end
```

You can even use another variant of ABAC to obtain attributes from the identity and define a condition accordingly:

```javascript
import org.keycloak.authorization.policy.evaluation.Evaluation;
rule "Authorize Using Identity Information"
    dialect "mvel"
    when
       $evaluation : Evaluation(
           $identity: context.identity,
           identity.attributes.containsValue("someAttribute", "you_can_access")
       )
    then
        $evaluation.grant();
end
```

For more details about what you can access from the `org.keycloak.authorization.policy.evaluation.Evaluation` interface, see link:./evaluation-api.adoc[Evaluation API].
More doc 2016-06-05 22:17:31 +00:00			`== Drools-Based Policy`

[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`This type of policy allows you to define conditions for your permissions using http://www.drools.org[Drools], which is a rule evaluation environment. It is one of the _Rule-Based_ policy types`
			`supported by {{book.project.name}}, and provides flexibility to write any policy based on the link:evaluation-api.adoc[Evaluation API].`
More doc 2016-06-05 22:17:31 +00:00
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`To create a new Drools-based policy, select the option Drools in the dropdown located in the right upper corner of the permission listing.`
More screenshots. Reviewing getting started tutorials. 2016-06-14 23:50:50 +00:00
			`.Add Drools Policy`
			`image:../../images/policy/create-drools.png[alt="Add Drools Policy"]`

More doc 2016-06-05 22:17:31 +00:00			`=== Configuration`

			`* Name`
			`+`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`A human-readable and unique string describing the policy. We strongly suggest that you use names that are closely related with your business and security requirements, so you`
			`can identify them more easily and also know what they actually mean.`
More doc 2016-06-05 22:17:31 +00:00			`+`
			`* Description`
			`+`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`A string with more details about this policy.`
More doc 2016-06-05 22:17:31 +00:00			`+`
			`* Policy Maven Artifact`
			`+`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`A Maven groupId-artifactId-version (GAV) pointing to an artifact where the rules are defined. Once you have provided the GAV, you can click Resolve to load both Module and Session fields.`
More doc 2016-06-05 22:17:31 +00:00			`+`
			`** Group Id`
			`+`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`The groupId of the artifact.`
More doc 2016-06-05 22:17:31 +00:00			`+`
			`** Artifact Id`
			`+`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`The artifactId of the artifact.`
More doc 2016-06-05 22:17:31 +00:00			`+`
			`** Version`
			`+`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`The version of the artifact.`
More doc 2016-06-05 22:17:31 +00:00			`+`
			`* Module`
			`+`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`The module used by this policy. You must provide a module in order to select a specific session from where rules will be loaded from.`
More doc 2016-06-05 22:17:31 +00:00			`+`
			`* Session`
			`+`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`The session used by this policy. The session provides all the rules to evaluate when processing the policy.`
More doc 2016-06-05 22:17:31 +00:00			`+`
			`* Update Period`
			`+`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`Specifies an interval for scanning for artifact updates.`
More doc 2016-06-05 22:17:31 +00:00			`+`
			`* Logic`
			`+`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`The link:logic.html[Logic] of this policy to apply after the other conditions have been evaluated.`
More doc 2016-06-05 22:17:31 +00:00
			`=== Examples`

			`Here is a simple example of a Drools-Based policy that uses Attribute-Based Access Control (ABAC) to define a condition that evaluates to a GRANT`
			`only if the authenticated user is the owner of the requested resource:`

			```javascript
			`import org.keycloak.authorization.policy.evaluation.Evaluation;`
			`rule "Authorize Resource Owner"`
			`dialect "mvel"`
			`when`
			`$evaluation : Evaluation(`
			`$identity: context.identity,`
			`$permission: permission,`
			`$permission.resource != null && $permission.resource.owner.equals($identity.id)`
			`)`
			`then`
			`$evaluation.grant();`
			`end`
			```

			`You can even use another variant of ABAC to obtain attributes from the identity and define a condition accordingly:`

			```javascript
			`import org.keycloak.authorization.policy.evaluation.Evaluation;`
			`rule "Authorize Using Identity Information"`
			`dialect "mvel"`
			`when`
			`$evaluation : Evaluation(`
			`$identity: context.identity,`
			`identity.attributes.containsValue("someAttribute", "you_can_access")`
			`)`
			`then`
			`$evaluation.grant();`
			`end`
			```

[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			For more details about what you can access from the `org.keycloak.authorization.policy.evaluation.Evaluation` interface, see link:./evaluation-api.adoc[Evaluation API].