[keycloak-dev] roles vs. groups

Stian Thorgersen sthorger at redhat.com
Thu Nov 5 03:24:21 EST 2015 

After our chat I realized I was confusing things. I think the initial
design proposed by Bill is good, but we should keep composite roles. Roles
should rename roles and we should introduce role namespaces to replace the
current realm/client role split. So we should have:

* Role
* Composite role - these are powerful as they permit multiple inheritance
(and we also deal with cyclic inheritance). I believe these works well and
we've not had any negative feedback on them AFAIK
* Role namespaces - ability to create a hierarchy of roles (a role
namespace should just be a namespace, and not some sort of all inclusive
role)
* Group
  - Simple hierarchy (no multi inheritance)
  - A group has one or more attributes
  - A group has one or more role mappings
  - A user belongs to one or more groups
     - A user inherits all role mappings of the group
     - A user inherits all attributes of the group (we need to define how
duplicates are resolved)

I think this will provide the required tools to model most things.
Obviously it doesn't model permissions, but that's not the agenda.
Permissions are for Pedro's work, which will hopefully be brought into
master sometime next year.

With regards to how this is all added to tokens and managed in adapters we
need to be able to:

* Include/exclude groups in the token
* Include/exclude roles in the token
   - Including ability to specify namespaces to include
* For JEE adapters it should be possible to configure how roles from the
token are mapped onto roles in the app
   - Full namespace
   - Include single namespace and only include role name, not full namespace
   - More (groups -> roles?)? Custom?

Another related topic is fine-grained permissions in the admin
console/endpoints. We should leave it as is for now (course grained), with
the exception of utilizing role namespaces (instead of having to have
"mock" clients). In the future we should be able to leverage Pedro's work
to provide proper fine-grained permissions to the admin console/endpoints.

On 4 November 2015 at 18:24, Stan Silvert <ssilvert at redhat.com> wrote:

> On 11/4/2015 11:51 AM, Bill Burke wrote:
> >
> > On 11/4/2015 11:21 AM, Stan Silvert wrote:
> >> On 11/4/2015 10:37 AM, Bill Burke wrote:
> >>> On 11/4/2015 10:26 AM, Stan Silvert wrote:
> >>>> On 11/4/2015 9:15 AM, Bill Burke wrote:
> >>>>> I've alread stated the reason for composite roles:
> >>>>>
> >>>>> Say you have a set of applications under the Sales and Marketing
> >>>>> Department:  A Leads Application, Eloqua, and Salesforce.  Each of
> the
> >>>>> applications has a set of roles that are used to manage access to
> >>>>> various features of each application.  For example, each app might
> have
> >>>>> an "admin" role.  You would then want to organize permissions into
> >>>>> categories and assign coarser grain roles to individual users.  So,
> you
> >>>>> would create a "Sales Admin" composite role that contains the "admin"
> >>>>> role of each sales application.  Composite roles allow you to group
> >>>>> together roles into role catagories that you can assign to a specific
> >>>>> user or user group.
> >>>>>
> >>>>> User Groups are different as you want to assign a set of permissions
> to
> >>>>> a group of users.
> >>>>>
> >>>>> So composite roles are used to group together roles of a set of
> >>>>> applications.  User Groups are used to grant a set of perissions to a
> >>>>> set of users.
> >>>> Maybe it's just me, but I think of user groups as just a way to group
> >>>> users, and roles as a way to group permissions.  Roles are assigned to
> >>>> user groups.  Permissions are assigned to roles.
> >>>>
> >>> We dont' have the concept of a permission, so, assigning roles to a
> >>> composite role is equivalent right now of assigning permissions to a
> role.
> >> Isn't that what Pedro is working on right now?
> > No.  His is like: user in this group as write access to this document.
> > This is just roles and sets of roles.
> >
> >
> "write access to this document" is a permission.  Permissions assigned
> to roles.  Roles assigned to groups.
>
> Maybe it's just semantics, but that's the kind of think I'm used to
> seeing in other systems.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151105/52ab3cab/attachment.html

More information about the keycloak-dev mailing list