diff --git a/authorization_services/keycloak-images/resource/create.png b/authorization_services/keycloak-images/resource/create.png index f3253b344b..684b256024 100644 Binary files a/authorization_services/keycloak-images/resource/create.png and b/authorization_services/keycloak-images/resource/create.png differ diff --git a/authorization_services/rhsso-images/resource/create.png b/authorization_services/rhsso-images/resource/create.png index aa25daa948..20ee44e3a0 100644 Binary files a/authorization_services/rhsso-images/resource/create.png and b/authorization_services/rhsso-images/resource/create.png differ diff --git a/authorization_services/topics/policy-evaluation-api.adoc b/authorization_services/topics/policy-evaluation-api.adoc index 6b7704cad5..815134ddd4 100644 --- a/authorization_services/topics/policy-evaluation-api.adoc +++ b/authorization_services/topics/policy-evaluation-api.adoc @@ -3,10 +3,10 @@ When writing rule-based policies using JavaScript or JBoss Drools, {project_name} provides an Evaluation API that provides useful information to help determine whether a permission should be granted. -This API consists of a few interfaces that provides you access to information such as: +This API consists of a few interfaces that provide you access to information, such as -* The permission being requested -* The identity that is requesting the permission, from which you can obtain claims/attributes +* The permission being evaluated, representing both the resource and scopes being requested. +* The attributes associated with the resource being requested * Runtime environment and any other attribute associated with the execution context * Information about users such as group membership and roles diff --git a/authorization_services/topics/resource-create.adoc b/authorization_services/topics/resource-create.adoc index ada02626eb..1fa34a3ea8 100644 --- a/authorization_services/topics/resource-create.adoc +++ b/authorization_services/topics/resource-create.adoc @@ -31,11 +31,20 @@ is usually the relative path used to serve these resources. + One or more scopes to associate with the resource. +== Resource Attributes + +Resources may have attributes associated with them. These attributes can be used to provide additional information about +a resource and to provide additional information to policies when evaluating permissions associated with a resource. + +Each attribute is a key and value pair where the value can be a set of one or many strings. Multiple values can be defined for an attribute by separating each value with a comma. + + == Typed Resources The type field of a resource can be used to group different resources together, so they can be protected using a common set of permissions. == Resource Owners + Resources also have an owner. By default, resources are owned by the resource server. However, resources can also be associated with users, so you can create permissions based on the resource owner. For example, only the resource owner is allowed to delete or update a given resource.