90 lines
2.8 KiB
Text
90 lines
2.8 KiB
Text
== Drools-Based Policy
|
|
|
|
This type of policy allows you to define conditions for your permissions using Drools. It is one of the _Rule-Based_ policy types
|
|
supported by {{book.project.name}}, providing a lot of flexibility to write any policy based on the link:evaluation-api.adoc[Evaluation API].
|
|
|
|
To create a new policy select the option *Drools* in the dropdown located in the right upper corner of the permission listing.
|
|
|
|
.Add Drools Policy
|
|
image:../../images/policy/create-drools.png[alt="Add Drools Policy"]
|
|
|
|
=== Configuration
|
|
|
|
* *Name*
|
|
+
|
|
A human-readable and unique string describing the policy. We strongly suggest you to use names that are closely related with your business and security requirements, so you
|
|
can identify them more easily and also know what they actually mean
|
|
+
|
|
* *Description*
|
|
+
|
|
A string with more details about this policy
|
|
+
|
|
* *Policy Maven Artifact*
|
|
+
|
|
A Maven GAV pointing to an artifact from where the rules would be loaded from. Once you have provided the GAV, you can click *Resolve* to load both *Module* and *Session* fields
|
|
+
|
|
** Group Id
|
|
+
|
|
The groupId of the artifact
|
|
+
|
|
** Artifact Id
|
|
+
|
|
The artifactId of the artifact
|
|
+
|
|
** Version
|
|
+
|
|
The version of the artifact
|
|
+
|
|
* *Module*
|
|
+
|
|
The module used by this policy. You must provide a module in order to select a specific session from where rules will be loaded from
|
|
+
|
|
* *Session*
|
|
+
|
|
The session used by this policy. The session provides all the rules to evaluate when processing the policy
|
|
+
|
|
* *Update Period*
|
|
+
|
|
Specifies an interval for scanning for artifact updates
|
|
+
|
|
* *Logic*
|
|
+
|
|
The link:logic.html[logic] of this policy
|
|
|
|
=== Examples
|
|
|
|
Here is a simple example of a Drools-Based policy that uses Attribute-Based Access Control (ABAC) to define a condition that evaluates to a GRANT
|
|
only if the authenticated user is the owner of the requested resource:
|
|
|
|
```javascript
|
|
import org.keycloak.authorization.policy.evaluation.Evaluation;
|
|
rule "Authorize Resource Owner"
|
|
dialect "mvel"
|
|
when
|
|
$evaluation : Evaluation(
|
|
$identity: context.identity,
|
|
$permission: permission,
|
|
$permission.resource != null && $permission.resource.owner.equals($identity.id)
|
|
)
|
|
then
|
|
$evaluation.grant();
|
|
end
|
|
```
|
|
|
|
You can even use another variant of ABAC to obtain attributes from the identity and define a condition accordingly:
|
|
|
|
```javascript
|
|
import org.keycloak.authorization.policy.evaluation.Evaluation;
|
|
rule "Authorize Using Identity Information"
|
|
dialect "mvel"
|
|
when
|
|
$evaluation : Evaluation(
|
|
$identity: context.identity,
|
|
identity.attributes.containsValue("someAttribute", "you_can_access")
|
|
)
|
|
then
|
|
$evaluation.grant();
|
|
end
|
|
```
|
|
|
|
For more details about what you can access from this interface, please take a look at link::/policy/evaluation-api.adoc[Evaluation API].
|