[keycloak-dev] Group Based Policy

Pedro Igor Silva psilva at redhat.com
Tue Jun 6 15:18:43 EDT 2017

Forgot to add something to the discussion.

I'm not 100% sure if we should have a group policy though. Reason being
that groups are usually administrative things to group a set of one or more
users and usually they are not really suitable for authorization. For
instance, with current design you could enforce access based on groups as
long as your groups have a specific role which you can use in a role based
policy. In this sense, roles are definitely more suitable for authorization
than groups.

On Tue, Jun 6, 2017 at 3:37 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi All,
> I'm adding a Group Based Policy to our set of supported policies.
> Basically, this policy allows you to define the group(s) you want to give
> access to some resource or scope.
> Would like to share my initial scope with you and see if you guys have
> anything else to add:
> * Users can select one or more groups
> * Users can define groups using paths (e.g.: /Group A/Group B/*, /Group A,
> /Group A/Group B)
> * Users can decide whether or not access is granted if the identity is a
> member of all or any of the selected groups
> * Users can decide whether or not access extends to sub-groups of a parent
> group
> Please, let me know your thoughts.
> Regards.
> Pedro Igor

More information about the keycloak-dev mailing list