Merge pull request #342 from pedroigor/KEYCLOAK-6529

[KEYCLOAK-6529] - Resource Attributes
2018-03-27 08:52:37 -05:00 · 2018-03-27 08:52:37 -05:00 · e81b3a2f0b
commit e81b3a2f0b
parent 2b37305461 7a57854b14
4 changed files with 12 additions and 3 deletions
--- a/authorization_services/keycloak-images/resource/create.png
+++ b/authorization_services/keycloak-images/resource/create.png
--- a/authorization_services/rhsso-images/resource/create.png
+++ b/authorization_services/rhsso-images/resource/create.png
--- a/authorization_services/topics/policy-evaluation-api.adoc
+++ b/authorization_services/topics/policy-evaluation-api.adoc
@ -3,10 +3,10 @@

 When writing rule-based policies using JavaScript or JBoss Drools, {project_name} provides an Evaluation API that provides useful information to help determine whether a permission should be granted.

-This API consists of a few interfaces that provides you access to information such as:
+This API consists of a few interfaces that provide you access to information, such as

-* The permission being requested
-* The identity that is requesting the permission, from which you can obtain claims/attributes
+* The permission being evaluated, representing both the resource and scopes being requested.
+* The attributes associated with the resource being requested
 * Runtime environment and any other attribute associated with the execution context
 * Information about users such as group membership and roles

--- a/authorization_services/topics/resource-create.adoc
+++ b/authorization_services/topics/resource-create.adoc
@ -31,11 +31,20 @@ is usually the relative path used to serve these resources.
 +
 One or more scopes to associate with the resource.

+== Resource Attributes
+
+Resources may have attributes associated with them. These attributes can be used to provide additional information about
+a resource and to provide additional information to policies when evaluating permissions associated with a resource.
+
+Each attribute is a key and value pair where the value can be a set of one or many strings. Multiple values can be defined for an attribute by separating each value with a comma.
+
+
 == Typed Resources

 The type field of a resource can be used to group different resources together, so they can be protected using a common set of permissions.

 == Resource Owners
+
 Resources also have an owner. By default, resources are owned by the resource server.

 However, resources can also be associated with users, so you can create permissions based on the resource owner. For example, only the resource owner is allowed to delete or update a given resource.