custom role for group scope #2905
-
|
Hi , As far as I tested the authenticate integeation between apicurio-registry and keycloak , seems there has only 3 available roles (sr-admin , sr-developer , sr-readonly) and sr-developer role it can create or delete any artifiact on apicurio registry. My requirement is making my own role to determine the permission on group level scope eg. role sr-developer-teamA can only create/delete the artifact group name teamA only. that could be possible? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Hi @meenajaeiei, no, there's no option like that right now. You can enable group-owner authorization ( |
Beta Was this translation helpful? Give feedback.
-
|
More granular RBAC is on the wishlist, but not yet implemented. (fwiw) |
Beta Was this translation helpful? Give feedback.
Hi @meenajaeiei, no, there's no option like that right now. You can enable group-owner authorization (
REGISTRY_AUTH_OBAC_LIMIT_GROUP_ACCESS, note thatREGISTRY_AUTH_OBAC_ENABLEDis also required when enabling this option) resulting in only the user who created an artifact group has write access to that artifact group, for example, to add or remove artifacts in that group.