<div dir="ltr">Ignore my previous response - I completely miss-read what was being proposed ;)</div><div class="gmail_extra"><br><div class="gmail_quote">On 5 November 2015 at 12:12, Marek Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  <div text="#000000" bgcolor="#FFFFFF">

    <div>I like also the possibility to have

      &quot;common&quot; set of protocol mappers shared between more clients. Also

      in my client application, I may want to share roles defined in 2

      different namespaces. So IMO it will be good if client can be

      added to more different client groups/organizations and inherit

      common roles, protocol mappers and scopes from all of them.<span class="HOEnZb"><font color="#888888"><br>

      <br>

      Marek</font></span><div><div class="h5"><br>

      <br>

      On 05/11/15 11:34, Stian Thorgersen wrote:<br>

    </div></div></div><div><div class="h5">

    <blockquote type="cite">

      <div dir="ltr">However, maybe we should not try to introduce more

        fine-grained permissions in admin endpoints at the moment. In

        the future we should be able to leverage Pedro&#39;s work and do it

        properly.</div>

      <div class="gmail_extra"><br>

        <div class="gmail_quote">On 5 November 2015 at 11:33, Stian

          Thorgersen <span dir="ltr">&lt;<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>&gt;</span>

          wrote:<br>

          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

            <div dir="ltr">I don&#39;t think we should use the group concept

              for managing permissions in admin endpoints. That&#39;ll just

              be to confusing IMO. In either case we don&#39;t need a

              distinction between user and client, as we&#39;d have roles

              for that.

              <div><br>

              </div>

              <div>What about domain/organization or something? Within a

                realm you could have one or more organizations. Users

                and clients belong to a single organization. Then we&#39;d

                have a role namespace for the organiztion for example

                roles would be:</div>

              <div><br>

              </div>

              <div>* org.keycloak/&lt;organization name&gt;/view-clients</div>

              <div>* org.keycloak/&lt;organization

                name&gt;/manage-clients</div>

              <div>* org.keycloak/&lt;organization name&gt;/view-users</div>

              <div>* org.keycloak/&lt;organization name&gt;/manage-users</div>

              <div><br>

              </div>

              <div>In fact you don&#39;t need groups to do that, just role

                namespaces and the ability to configure what &quot;namespace&quot;

                is used for a particular client or user.</div>

            </div>

            <div>

              <div>

                <div class="gmail_extra"><br>

                  <div class="gmail_quote">On 3 November 2015 at 22:20,

                    Bill Burke <span dir="ltr">&lt;<a href="mailto:bburke@redhat.com" target="_blank"></a><a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt;</span>

                    wrote:<br>

                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">In

                      my previous email I talked about combining Groups

                      and Role<br>

                      Namespaces.  Now I want to talk about User Groups

                      vs. Client Groups.<br>

                      <br>

                      User Groups would manage a set of users.  Members

                      would automatically<br>

                      inherit a set of &quot;permissions&quot;: a set of roles. 

                      User Groups would also<br>

                      provide a set of attributes that the user

                      inherits.<br>

                      <br>

                      I&#39;d like to introduce the concept of a Client

                      Group.  Client Group would<br>

                      have:<br>

                      <br>

                      * Roles - basically a role namespace<br>

                      * Permissions - set of roles service accounts

                      members inherit<br>

                      * Scope - same as our current concept of scope<br>

                      * Protocol Policies - common protocol

                      configuration.<br>

                      <br>

                      Each Client Group would have some default roles

                      defined.  i.e. roles<br>

                      that allow a user to edit any client in the client

                      group.<br>

                      <br>

                      Each Client would have the same configuration

                      options.  They would be<br>

                      able to have an additional set of roles,

                      permissions, scope, and<br>

                      overridable Protocol Policies.<br>

                      <span><font color="#888888"><br>

                          --<br>

                          Bill Burke<br>

                          JBoss, a division of Red Hat<br>

                          <a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>

_______________________________________________<br>

                          keycloak-dev mailing list<br>

                          <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>

                          <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>

                        </font></span></blockquote>

                  </div>

                  <br>

                </div>

              </div>

            </div>

          </blockquote>

        </div>

        <br>

      </div>

      <br>

      <fieldset></fieldset>

      <br>

      <pre>_______________________________________________

keycloak-dev mailing list

<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>

<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>

    </blockquote>

    <br>

  </div></div></div>

</blockquote></div><br></div>