Discussion with Stan about FGA and the authorization model

gistfile1.txt

- Create Permission UI

# Permissions to manage all users in a realm
* Resource Type: Users <required>
* Scope: update | read | delete | create
* Allow Users: <select a group> | <select role> | <select whatever we think makes sense as a access control mechanism> <mandatory>

# Permissions to manage users from a group and manage groups in a realm
* Resource Type: Group <required>
* Resource: <groupid> <optional>
* Scope: create| update | read | delete | update-members | read-members | update-membership
* Allow Users: <select a group>

# Permissions to manage clients in a realm
* Resource Type: Client <required>
* Resource: <clientid> <optional>
* Scope: create| update | read | delete | token-exchange
* Allow Users: <select a group> | <select a client>

interface AuthorizationModel {
    getScopes();
    getSupportedPolicies();
}

ClientModel implements AuthorizationModel {
 // override
}

{
    "type": group,
    "scopes": ["foo", "bar"]
    "supportedPolicies: ["group", "client"]
}

{
   "type": "group",
   "scopes": {
       "foo": {
            uri: "/admin/realms/groups/{id}",
            "verb": "put"
       }
   }
}