[keycloak-dev] [authz] Roles as first class citizens
Bill Burke
bburke at redhat.com
Sat Apr 1 10:31:07 EDT 2017
Yes, because I think the most common permission will be 100% role based.
On 4/1/17 10:21 AM, Pedro Igor Silva wrote:
> I think you are exploring now a new way of seeing things.
>
> Today we have a flexible permissioning model where you define
> independent policies to build these permissions or even build other
> policies. Where you may have a library of policies, reuse these
> policies across different permissions, etc.
>
> What you are proposing, if I understood correctly, and that is what I
> meant by the "new way of seeing things", is also allow users to create
> permissions more easily without necessarily having to create policies.
> In other words, we would be providing additional permission types (in
> addition to resource/scope) for some very common use cases like the
> one you mentioned where you just need a white/blacklist of roles.
>
> Does it make sense ?
>
> On Sat, Apr 1, 2017 at 10:11 AM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> I find creating role policies as cumbersome. Also, how is the admin
> supposed to know if a policy with a specific role has already been
> created or not? Maybe policies can have DENY and PERMIT role lists.
> when creating permissions you can just pick roles to add/remove to the
> permission. I think the most used, most common case (90% of the
> time?)
> will be assigning role permissions to resources so we should make
> it as
> easy as possible. Both within the admin UI and APIs. Thoughts?
>
> Bill
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>
More information about the keycloak-dev
mailing list