{ "allowRemoteResourceManagement": true, "policyEnforcementMode": "ENFORCING", "resources": [ { "name": "User Profile Resource", "uri": "/profile", "type": "http://photoz.com/profile", "scopes": [ { "name": "profile:view" } ] }, { "name": "Album Resource", "uri": "/album/*", "type": "http://photoz.com/album", "scopes": [ { "name": "album:view" }, { "name": "album:delete" }, { "name": "album:create" } ] }, { "name": "Admin Resources", "uri": "/admin/*", "type": "http://photoz.com/admin", "scopes": [ { "name": "admin:manage" } ] }, { "name": "Scope Protected Resource", "uri": "/scope-any", "scopes": [ { "name": "scope-a" }, { "name": "scope-b" } ] } ], "policies": [ { "name": "Only Owner Policy", "description": "Defines that only the resource owner is allowed to do something", "type": "js", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "code": "var permission = $evaluation.getPermission();\nvar identity = $evaluation.getContext().getIdentity();\nvar resource = permission.getResource();\nif (resource) {\nif (resource.getOwner().equals(identity.getId())) {\n$evaluation.grant();\n}}" } }, { "name": "Any Admin Policy", "description": "Defines that adminsitrators can do something", "type": "role", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "applyPolicies": "[]", "roles": "[{\"id\":\"admin\",\"required\":true}]" } }, { "name": "Any User Policy", "description": "Defines that only users from well known clients are allowed to access", "type": "role", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "applyPolicies": "[]", "roles": "[{\"id\":\"user\"},{\"id\":\"photoz-restful-api/manage-albums\",\"required\":true}]" } }, { "name": "Only From a Specific Client Address", "description": "Defines that only clients from a specific address can do something", "type": "js", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "applyPolicies": "[]", "code": "var contextAttributes = $evaluation.getContext().getAttributes();\n\nif (contextAttributes.containsValue('kc.client.network.ip_address', '127.0.0.1') || contextAttributes.containsValue('kc.client.network.ip_address', '0:0:0:0:0:0:0:1')) {\n $evaluation.grant();\n}" } }, { "name": "Administration Policy", "description": "Defines that only administrators from a specific network address can do something.", "type": "aggregate", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "applyPolicies": "[\"Only From a Specific Client Address\",\"Any Admin Policy\"]" } }, { "name": "Only Owner and Administrators Policy", "description": "Defines that only the resource owner and administrators can do something", "type": "aggregate", "logic": "POSITIVE", "decisionStrategy": "AFFIRMATIVE", "config": { "applyPolicies": "[\"Administration Policy\",\"Only Owner Policy\"]" } }, { "name": "Only From @keycloak.org or Admin", "description": "Defines that only users from @keycloak.org", "type": "js", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "applyPolicies": "[]", "code": "var context = $evaluation.getContext();\nvar identity = context.getIdentity();\nvar attributes = identity.getAttributes();\nvar email = attributes.getValue('email').asString(0);\n\nif (identity.hasRealmRole('admin') || email.endsWith('@keycloak.org')) {\n $evaluation.grant();\n}" } }, { "name": "Album Resource Permission", "description": "General policies that apply to all album resources.", "type": "resource", "logic": "POSITIVE", "decisionStrategy": "AFFIRMATIVE", "config": { "defaultResourceType": "http://photoz.com/album", "default": "true", "applyPolicies": "[\"Any User Policy\",\"Administration Policy\"]" } }, { "name": "Admin Resource Permission", "description": "General policy for any administrative resource.", "type": "resource", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "defaultResourceType": "http://photoz.com/admin", "default": "true", "applyPolicies": "[\"Administration Policy\"]" } }, { "name": "View User Permission", "description": "Defines who is allowed to view an user profile", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "applyPolicies": "[\"Only From @keycloak.org or Admin\"]", "scopes": "[\"profile:view\"]" } }, { "name": "Delete Album Permission", "description": "A policy that only allows the owner to delete his albums.", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "applyPolicies": "[\"Only Owner and Administrators Policy\"]", "scopes": "[\"album:delete\"]" } }, { "name": "View Album Permission", "description": "A policy that only allows the owner to view his albums.", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "applyPolicies": "[\"Only Owner and Administrators Policy\"]", "scopes": "[\"album:view\"]" } }, { "name": "Deny Policy", "type": "js", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "code": "// by default, grants any permission associated with this policy\n$evaluation.deny();" } }, { "name": "Protected Scope A Permission", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"Scope Protected Resource\"]", "scopes": "[\"scope-a\"]", "applyPolicies": "[\"Any User Policy\"]" } }, { "name": "Protected Scope B Permission", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"Scope Protected Resource\"]", "scopes": "[\"scope-b\"]", "applyPolicies": "[\"Deny Policy\"]" } } ], "scopes": [ { "name": "profile:view" }, { "name": "album:view" }, { "name": "album:create" }, { "name": "album:delete" }, { "name": "admin:manage" } ] }