[keycloak-dev] roles vs. groups
Bill Burke
bburke at redhat.com
Wed Nov 4 11:51:56 EST 2015
On 11/4/2015 11:21 AM, Stan Silvert wrote:
> On 11/4/2015 10:37 AM, Bill Burke wrote:
>>
>> On 11/4/2015 10:26 AM, Stan Silvert wrote:
>>> On 11/4/2015 9:15 AM, Bill Burke wrote:
>>>> I've alread stated the reason for composite roles:
>>>>
>>>> Say you have a set of applications under the Sales and Marketing
>>>> Department: A Leads Application, Eloqua, and Salesforce. Each of the
>>>> applications has a set of roles that are used to manage access to
>>>> various features of each application. For example, each app might have
>>>> an "admin" role. You would then want to organize permissions into
>>>> categories and assign coarser grain roles to individual users. So, you
>>>> would create a "Sales Admin" composite role that contains the "admin"
>>>> role of each sales application. Composite roles allow you to group
>>>> together roles into role catagories that you can assign to a specific
>>>> user or user group.
>>>>
>>>> User Groups are different as you want to assign a set of permissions to
>>>> a group of users.
>>>>
>>>> So composite roles are used to group together roles of a set of
>>>> applications. User Groups are used to grant a set of perissions to a
>>>> set of users.
>>> Maybe it's just me, but I think of user groups as just a way to group
>>> users, and roles as a way to group permissions. Roles are assigned to
>>> user groups. Permissions are assigned to roles.
>>>
>> We dont' have the concept of a permission, so, assigning roles to a
>> composite role is equivalent right now of assigning permissions to a role.
> Isn't that what Pedro is working on right now?
No. His is like: user in this group as write access to this document.
This is just roles and sets of roles.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list