Role-Based Access Control with Permissions

Build on your Keycloak authentication setup to implement authorization. This lab comes with Keycloak fully configured (realm, users, groups, OIDC) so you can focus entirely on the permissions framework.

Pre-configured for you:

• Keycloak with backstage realm and OIDC client
• Group mapper sending groups to Backstage tokens
• Three test users with different group memberships:
• alice.admin (platform-admins) - Full access
• bob.developer (developers) - Read + limited write
• carol.guest (guests) - Read only
• Sign-in resolver extracting groups from tokens

You'll learn to:

• Enable and configure the Backstage permissions framework
• Write permission policies that check Keycloak group membership
• Implement different access levels (admin, developer, guest)
• Lock down software templates and catalog actions by role
• Test that different users have different permissions
• Understand policy decisions: ALLOW, DENY, CONDITIONAL

This hands-on lab establishes role-based security boundaries using your existing identity provider groups.

Key Resources:

• Permissions Overview
• Permission Concepts
• Writing Policies