Created question in FIWARE Q/A platform on 10-05-2017 at 20:05
Please, ANSWER this question AT http://stackoverflow.com/questions/43900428/fiware-how-to-restrict-user-access-to-specific-entity-for-orion-context-broker

Question:
Fiware: How to restrict user access to specific entity for Orion Context Broker API using keystone & keypass

Description:
First of all, I'm using the Telefonica implementations of Identity Manager, Authorization PDP and PEP Proxy, instead of the Fiware reference implementations which are Keyrock, AuthZForce and Wilma PEP Proxy. The source code and reference documentation of each component can be found in the following GitHub repos:

Telefonica keystone-spassword:

GitHub /telefonicaid/fiware-keystone-spassword

Telefonica keypass:

GitHub /telefonicaid/fiware-keypass

Telefonica PEP-Proxy:

GitHub /telefonicaid/fiware-pep-steelskin

Besides, I'm working with my own in-house installation of the components, NO Fi-Lab. In addition to security components, I've an IoT Agent-UL instance and an Orion Context Broker instance.

Starting from that configuration, I've created a domain in keystone (Fiware-Service) and a project inside the domain (Fiware-ServicePath). Then I've one device connected to the platform, sendding data to the IoT Agent behind the PEP Proxy. The whole device message is represented as a single Entity in Orion Context Broker.

So, the question is:

How can I restrict a specific keystone user to access only to the entity associated to this device, at the level of the Orion Context Broker API?

I know that I can allow/deny user acces to specific API via keystone Roles and XACML Policies but that implies that I should create one Policy per User-Device pair.

I could use some help with this, to know if I'm on the right way.