[keycloak-dev] roles vs. groups

[Stan Silvert]

On 11/4/2015 11:51 AM, Bill Burke wrote:
>
> On 11/4/2015 11:21 AM, Stan Silvert wrote:
>> On 11/4/2015 10:37 AM, Bill Burke wrote:
>>> On 11/4/2015 10:26 AM, Stan Silvert wrote:
>>>> On 11/4/2015 9:15 AM, Bill Burke wrote:
>>>>> I've alread stated the reason for composite roles:
>>>>>
>>>>> Say you have a set of applications under the Sales and Marketing
>>>>> Department:  A Leads Application, Eloqua, and Salesforce.  Each of the
>>>>> applications has a set of roles that are used to manage access to
>>>>> various features of each application.  For example, each app might have
>>>>> an "admin" role.  You would then want to organize permissions into
>>>>> categories and assign coarser grain roles to individual users.  So, you
>>>>> would create a "Sales Admin" composite role that contains the "admin"
>>>>> role of each sales application.  Composite roles allow you to group
>>>>> together roles into role catagories that you can assign to a specific
>>>>> user or user group.
>>>>>
>>>>> User Groups are different as you want to assign a set of permissions to
>>>>> a group of users.
>>>>>
>>>>> So composite roles are used to group together roles of a set of
>>>>> applications.  User Groups are used to grant a set of perissions to a
>>>>> set of users.
>>>> Maybe it's just me, but I think of user groups as just a way to group
>>>> users, and roles as a way to group permissions.  Roles are assigned to
>>>> user groups.  Permissions are assigned to roles.
>>>>
>>> We dont' have the concept of a permission, so, assigning roles to a
>>> composite role is equivalent right now of assigning permissions to a role.
>> Isn't that what Pedro is working on right now?
> No.  His is like: user in this group as write access to this document.
> This is just roles and sets of roles.
>
>
"write access to this document" is a permission.  Permissions assigned 
to roles.  Roles assigned to groups.

Maybe it's just semantics, but that's the kind of think I'm used to 
seeing in other systems.