[keycloak-dev] Introduce role attributes
Thomas Darimont
thomas.darimont at googlemail.com
Wed Jul 25 10:28:46 EDT 2018
Another use case could be supporting segregation of duties (SoD). A role
could list a set of mutual exclusive roles that cannot be assigned to a
user at the same time.
Schuster Sebastian (INST/ESY1) <Sebastian.Schuster at bosch-si.com> schrieb am
Mi., 25. Juli 2018, 17:03:
> We also have the same requirements but would use it mostly for role
> metadata. This would not be used in a token but for thinks like after
> assigning a role to a user sending an email to the person responsible for
> that role. This is required for compliance reasons. We would strongly
> prefer to store this data in Keycloak as custom role attributes instead of
> maintaining it somewhere else...
>
> Best regards,
> Sebastian
>
> Mit freundlichen Grüßen / Best regards
>
> Dr.-Ing. Sebastian Schuster
>
> Engineering and Support (INST/ESY1)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY | www.bosch-si.com
> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
> Sebastian.Schuster at bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
>
> -----Original Message-----
> From: keycloak-dev-bounces at lists.jboss.org <
> keycloak-dev-bounces at lists.jboss.org> On Behalf Of Stian Thorgersen
> Sent: Montag, 16. Juli 2018 20:27
> To: Sebastian.Loesch at governikus.de
> Cc: keycloak-dev <keycloak-dev at lists.jboss.org>
> Subject: Re: [keycloak-dev] Introduce role attributes
>
> I don't think we should add attributes to roles. It would introduce
> complexity and also potentially have performance/memory impacts.
>
> I also struggle to see how you would use attributes associated with roles.
> Are you thinking that would be mapped into the token together with the
> role name?
>
> On Tue, 3 Jul 2018 at 07:37, Lösch, Sebastian <
> Sebastian.Loesch at governikus.de> wrote:
>
> > Hi developers,
> >
> > we are currently setting up a project using keycloak and need to model:
> > - representative roles, i.e. roles that are given temporarily from one
> > user to another e.g. in holiday times
> > - roles contain entitlements on business objects
> >
> > The current role object in keycloak is not sufficent for our use cases.
> > Searching for a solution I stumbled over
> > https://issues.jboss.org/browse/KEYCLOAK-961
> > Introducing role attributes would solve my challenges. Also this fits
> > well in the keycloak data model, as there are already user attributes,
> > group attributes, realm attributes.
> >
> > So I would like to add role attributes to keycloak in the style of
> > group attributes.
> > What do you think?
> >
> > Best regards,
> > Sebastian
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list