In addition to the Keycloak OAuth policy, you can use the Authorization policy to add a list of fine-grained authorization rules which allows you to control precisely who is allowed to access the API.
Adding the Authorization Policy
A wizard supports you during policy configuration. Refer to Attaching Policies for a step-by-step guide.
The configuration of this policy consists of a number of rules that are applied to any inbound request to the API. Each rule consists of a regular expression pattern, an HTTP verb and the role that an authenticated user must possess in order for access to be granted.
It is also possible to apply the rules for all requests by using a wildcard regular expression.
Example:
Additional role authorization with the Authorization policy:
- Only users with role support-admin are allowed to delete support cases.
- Only users with role support-manager are allowed to get support cases.