Segmenting the Application
In this use case, our application allows its users to carry out two kinds of activities, let's say tactical planning and operational planning. To this end, it has a number of workspaces, dashboards, and tasks, dedicated to tactical planning, while other workspaces, dashboards, and tasks, are dedicated to operational planning. In addition, a few workspaces, dashboards, and tasks, are of interest regardless of the activity. We want some users to have only access to the application elements dedicated to one activity, some to the other, and some to both.
This can be implemented by first creating two roles in Keycloak, say TACTICAL
and OPERATIONAL
, and assigning these roles to users according to the elements they will be allowed to see. Users allowed to see elements related to both activities should be given both roles. Second, we should create two permission groups, say "Tactical Elements" and "Operation Elements". In each group, we will add the workspaces, dashboards, and tasks, related to the corresponding activity. Finally, we should add the following permission rules to the ruleset attached to the application permission group "Tactical Elements":
EVERYBODY, ACCESS, WORKSPACE, false EVERYBODY, ACCESS, SCENARIO, false EVERYBODY, ACCESS, VIEW_DASHBOARD, false EVERYBODY, ACCESS, TASK, false EVERYBODY, ACCESS, JOB, false role(TACTICAL), ACCESS, WORKSPACE, true role(TACTICAL), ACCESS, SCENARIO, true role(TACTICAL), ACCESS, VIEW_DASHBOARD, true role(TACTICAL), ACCESS, TASK, true role(TACTICAL), ACCESS, JOB, true
Similar rules (with role(TACTICAL)
replaced with role(OPERATIONAL)
) should be added to the ruleset attached to the application permission group "Operational Elements".
With the rules above, the workspaces, dashboards, and tasks that belong to neither permission groups will be accessible to all users. This is fine in some applications, but not in others. If we are in an application where these general application elements must be accessible only to users with either role, then the following permission rules must be added to the ruleset attached to the application:
EVERYBODY, ACCESS, WORKSPACE, false role(TACTICAL), ACCESS, WORKSPACE, true role(OPERATIONAL), ACCESS, WORKSPACE, true // same for SCENARIO, VIEW_DASHBOARD, TASK, and JOB