<div dir="ltr">I don't think we should use the group concept for managing permissions in admin endpoints. That'll just be to confusing IMO. In either case we don't need a distinction between user and client, as we'd have roles for that.<div><br></div><div>What about domain/organization or something? Within a realm you could have one or more organizations. Users and clients belong to a single organization. Then we'd have a role namespace for the organiztion for example roles would be:</div><div><br></div><div>* org.keycloak/<organization name>/view-clients</div><div>* org.keycloak/<organization name>/manage-clients</div><div>* org.keycloak/<organization name>/view-users</div><div>* org.keycloak/<organization name>/manage-users</div><div><br></div><div>In fact you don't need groups to do that, just role namespaces and the ability to configure what "namespace" is used for a particular client or user.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 3 November 2015 at 22:20, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">In my previous email I talked about combining Groups and Role<br>
Namespaces. Now I want to talk about User Groups vs. Client Groups.<br>
<br>
User Groups would manage a set of users. Members would automatically<br>
inherit a set of "permissions": a set of roles. User Groups would also<br>
provide a set of attributes that the user inherits.<br>
<br>
I'd like to introduce the concept of a Client Group. Client Group would<br>
have:<br>
<br>
* Roles - basically a role namespace<br>
* Permissions - set of roles service accounts members inherit<br>
* Scope - same as our current concept of scope<br>
* Protocol Policies - common protocol configuration.<br>
<br>
Each Client Group would have some default roles defined. i.e. roles<br>
that allow a user to edit any client in the client group.<br>
<br>
Each Client would have the same configuration options. They would be<br>
able to have an additional set of roles, permissions, scope, and<br>
overridable Protocol Policies.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</font></span></blockquote></div><br></div>