[keycloak-dev] [authz] Roles as first class citizens

Bill Burke bburke at redhat.com
Sat Apr 1 10:31:07 EDT 2017

Yes, because I think the most common permission will be 100% role based.

On 4/1/17 10:21 AM, Pedro Igor Silva wrote:
> I think you are exploring now a new way of seeing things.
> Today we have a flexible permissioning model where you define 
> independent policies to build these permissions or even build other 
> policies. Where you may have a library of policies, reuse these 
> policies across different permissions, etc.
> What you are proposing, if I understood correctly, and that is what I 
> meant by the "new way of seeing things", is also allow users to create 
> permissions more easily without necessarily having to create policies. 
> In other words, we would be providing additional permission types (in 
> addition to resource/scope) for some very common use cases like the 
> one you mentioned where you just need a white/blacklist of roles.
> Does it make sense ?
> On Sat, Apr 1, 2017 at 10:11 AM, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>     I find creating role policies as cumbersome.  Also, how is the admin
>     supposed to know if a policy with a specific role has already been
>     created or not?  Maybe policies can have DENY and PERMIT role lists.
>     when creating permissions you can just pick roles to add/remove to the
>     permission.  I think the most used, most common case (90% of the
>     time?)
>     will be assigning role permissions to resources so we should make
>     it as
>     easy as possible.  Both within the admin UI and APIs. Thoughts?
>     Bill
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>

More information about the keycloak-dev mailing list