I started using Keycloak and stumbled upon User-Managed Access (UMA) when trying to implement fine-grained access control. As far as I understand, UMA is an extension of OAuth2 that provides an authorization layer. However, I'm struggling to grasp its exact use case and when to use it.
Is UMA suitable for enterprise applications where roles and permissions for resources are predefined by a Keycloak admin, who also grants privileges to users to achieve fine-grained access control? Or is it more intended for scenarios where end-users grant access to third parties for their own resources? Or can it be used for both?
Can anyone provide clarity on the appropriate use case for UMA in Keycloak?
Hmmmm, well UMA is about controlling access to your information in an OAuth context. For a proper permission solution, I'd suggest going w a different approach.
If you're looking for fine-grained access control, you're better off using Keycloak as an identity provider and a user management tool that will provide you with basic roles as well, and than integrating an actual access management solution like cerbos.dev to get that lightweight yet granular policy control.
Depending of your stack, you can plug an SDK, host Cerbos server at your end, and start writing those fine-grained policies. This README should be enough to get you started.