ABAC with keycloak - Using Resource attributes in policy

Content Index :

ABAC with keycloak - Using Resource attributes in policy
ABAC Attributes Resolution
ABAC PIP Attributes Request
What should ABAC PIP do in case of attributes resolution impossibility?
using open policy agent (OPA) as an ABAC system
Writing a sample ABAC authorization policy using ALFA and XACML

ABAC with keycloak - Using Resource attributes in policy

Tag : development , By : unadopted

Date : November 28 2020, 11:01 PM

Hope this helps I solved this problem in Keycloak 4.3 by creating a JavaScript policy because Attribute policies don't exist (yet). Here is an example of the code I got working (note that the attribute values are a list, so you have to compare against the first item in the list):

var permission = $evaluation.getPermission();
var resource = permission.getResource();
var attributes = resource.getAttributes();

if (attributes.status !== null && attributes.status[0] == "draft") {
    $evaluation.grant();
} else {
    $evaluation.deny();
}

Comments

No Comments Right Now !

Boards Message :

You Must Login Or Sign Up to Add Your Comments .

Share :

Tags :

ABAC with keycloak - Using Resource attributes in policy , using open policy agent (OPA) as an ABAC system , Writing a sample ABAC authorization policy using ALFA and XACML , ABAC Attributes Resolution , cors policy: no access-control-allow-origin header is present on the requested resource. ,

ABAC Attributes Resolution

Tag : security , By : shehan

Date : March 29 2020, 07:55 AM

Any of those help
On request to PDP shall we pass all possible attributes that we are having? As far as I understood this will increase performance as it will allow to filter out by policy's target a lot of policies.

ABAC PIP Attributes Request

Tag : security , By : Tony Z

Date : March 29 2020, 07:55 AM

With these it helps The following approach is based on XACML model. If you need a solution that better handle cases where some of the resource attributes are missing from requests, let us know. I can update my answer, but the solution is more complex since it adds more checks for empty/undefined attributes.
I use a simplified syntax but you can easily translate to XACML with these few conventions:

What should ABAC PIP do in case of attributes resolution impossibility?

Tag : security , By : Senthil

Date : March 29 2020, 07:55 AM

seems to work fine The interaction between the PDP and the PIP is not specified in the XACML standard. It is down to each implementation (AuthZForce, Axiomatics...) to determine how they handle each case.
Generally speaking, there are 3 errors that can occur when using a PIP:

using open policy agent (OPA) as an ABAC system

Tag : development , By : user176445

Date : December 05 2020, 12:10 PM

may help you . I have a project that requires ABAC for access control for my projects resources. I've been looking at OPA and authzforce as options to implement ABAC and OPA looks like it might be less complicated than authzforce. I see that OPA compares itself to other systems and paradigms but the example it gave for ABAC leaves a lot to be desired. Mainly because ABAC requires the use of points that enforce policies, makes decisions around policies, fetch subject and object attributes for policy decisions. I feel like OPA has everything but the last part covered but it's hard to tell if that's true since their ABAC example is just a one-off. ,
OPA looks like it might be less complicated than authzforce