[keycloak-dev] Group Based Policy
Pedro Igor Silva
psilva at redhat.com
Wed Jun 7 07:46:57 EDT 2017
Yeah, this is an old discussion .... JEE is another example about how
groups and roles are used in pretty much the same way. The really
difference is that you could actually map a set of one or more roles to a
group. But at the end is just another name with broader permissions.
On Wed, Jun 7, 2017 at 4:00 AM, Schuster Sebastian (INST/ESY1) <
Sebastian.Schuster at bosch-si.com> wrote:
> I agree 100% with your arguments against supporting group-based policies.
> :) I guess people doing authorization based on groups are essentially using
> roles, they are just calling them groups. Keycloak can perfectly cover that
> case by using roles. The only potential difference I see is when there is
> something like composite roles or composite groups. With a composite role,
> you get all the subroles. With a composite group, you are in all the parent
> groups. However, offering this opposite direction (and adding composite
> groups) comes at the price of making it even harder for people to decide
> what they should (and do it correctly) so I don’t think it's really worth
> it.
> I do like the current RBAC way as it is a very clear concept. You can
> still switch to ABAC if RBAC does not cover your case...
>
> Mit freundlichen Grüßen / Best regards
>
> Sebastian Schuster
>
> Engineering and Support (INST/ESY1)
> Bosch Software Innovations GmbH | Schöneberger Ufer 89-91 | 10785 Berlin |
> GERMANY | www.bosch-si.com
> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
> Sebastian.Schuster at bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn
>
>
>
> > -----Original Message-----
> > From: keycloak-dev-bounces at lists.jboss.org [mailto:keycloak-dev-
> > bounces at lists.jboss.org] On Behalf Of Pedro Igor Silva
> > Sent: Dienstag, 6. Juni 2017 21:19
> > To: keycloak-dev <keycloak-dev at lists.jboss.org>
> > Subject: Re: [keycloak-dev] Group Based Policy
> >
> > Forgot to add something to the discussion.
> >
> > I'm not 100% sure if we should have a group policy though. Reason being
> that
> > groups are usually administrative things to group a set of one or more
> users and
> > usually they are not really suitable for authorization. For instance,
> with current
> > design you could enforce access based on groups as long as your groups
> have a
> > specific role which you can use in a role based policy. In this sense,
> roles are
> > definitely more suitable for authorization than groups.
> >
> >
> > On Tue, Jun 6, 2017 at 3:37 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
> >
> > > Hi All,
> > >
> > > I'm adding a Group Based Policy to our set of supported policies.
> > > Basically, this policy allows you to define the group(s) you want to
> > > give access to some resource or scope.
> > >
> > > Would like to share my initial scope with you and see if you guys have
> > > anything else to add:
> > >
> > > * Users can select one or more groups
> > > * Users can define groups using paths (e.g.: /Group A/Group B/*,
> > > /Group A, /Group A/Group B)
> > > * Users can decide whether or not access is granted if the identity is
> > > a member of all or any of the selected groups
> > > * Users can decide whether or not access extends to sub-groups of a
> > > parent group
> > >
> > > Please, let me know your thoughts.
> > >
> > > Regards.
> > > Pedro Igor
> > >
> > >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list