[keycloak-dev] [authz] Roles as first class citizens

Pedro Igor Silva psilva at redhat.com
Sat Apr 1 10:40:48 EDT 2017

What about creating a new permission type called "Roles" or whatever, which
provides a single page from where you can select:

* Resource
* Scopes
* Whitelis of Roles
* Blacklist of Roles
* Policies (in case you want to also apply any other policy in addition to
both white/blacklist)


On Sat, Apr 1, 2017 at 11:31 AM, Bill Burke <bburke at redhat.com> wrote:

> Yes, because I think the most common permission will be 100% role based.
> On 4/1/17 10:21 AM, Pedro Igor Silva wrote:
> I think you are exploring now a new way of seeing things.
> Today we have a flexible permissioning model where you define independent
> policies to build these permissions or even build other policies. Where you
> may have a library of policies, reuse these policies across different
> permissions, etc.
> What you are proposing, if I understood correctly, and that is what I
> meant by the "new way of seeing things", is also allow users to create
> permissions more easily without necessarily having to create policies. In
> other words, we would be providing additional permission types (in addition
> to resource/scope) for some very common use cases like the one you
> mentioned where you just need a white/blacklist of roles.
> Does it make sense ?
> On Sat, Apr 1, 2017 at 10:11 AM, Bill Burke <bburke at redhat.com> wrote:
>> I find creating role policies as cumbersome.  Also, how is the admin
>> supposed to know if a policy with a specific role has already been
>> created or not?  Maybe policies can have DENY and PERMIT role lists.
>> when creating permissions you can just pick roles to add/remove to the
>> permission.  I think the most used, most common case (90% of the time?)
>> will be assigning role permissions to resources so we should make it as
>> easy as possible.  Both within the admin UI and APIs.  Thoughts?
>> Bill
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list