<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">I like also the possibility to have
"common" set of protocol mappers shared between more clients. Also
in my client application, I may want to share roles defined in 2
different namespaces. So IMO it will be good if client can be
added to more different client groups/organizations and inherit
common roles, protocol mappers and scopes from all of them.<br>
<br>
Marek<br>
<br>
On 05/11/15 11:34, Stian Thorgersen wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAfFHk9sjoSTn_7Cg3fgZNfekp+abkpoWaUWGECGZ54c7Q@mail.gmail.com"
type="cite">
<div dir="ltr">However, maybe we should not try to introduce more
fine-grained permissions in admin endpoints at the moment. In
the future we should be able to leverage Pedro's work and do it
properly.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 5 November 2015 at 11:33, Stian
Thorgersen <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I don't think we should use the group concept
for managing permissions in admin endpoints. That'll just
be to confusing IMO. In either case we don't need a
distinction between user and client, as we'd have roles
for that.
<div><br>
</div>
<div>What about domain/organization or something? Within a
realm you could have one or more organizations. Users
and clients belong to a single organization. Then we'd
have a role namespace for the organiztion for example
roles would be:</div>
<div><br>
</div>
<div>* org.keycloak/<organization name>/view-clients</div>
<div>* org.keycloak/<organization
name>/manage-clients</div>
<div>* org.keycloak/<organization name>/view-users</div>
<div>* org.keycloak/<organization name>/manage-users</div>
<div><br>
</div>
<div>In fact you don't need groups to do that, just role
namespaces and the ability to configure what "namespace"
is used for a particular client or user.</div>
</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 3 November 2015 at 22:20,
Bill Burke <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:bburke@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:bburke@redhat.com">bburke@redhat.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">In
my previous email I talked about combining Groups
and Role<br>
Namespaces. Now I want to talk about User Groups
vs. Client Groups.<br>
<br>
User Groups would manage a set of users. Members
would automatically<br>
inherit a set of "permissions": a set of roles.
User Groups would also<br>
provide a set of attributes that the user
inherits.<br>
<br>
I'd like to introduce the concept of a Client
Group. Client Group would<br>
have:<br>
<br>
* Roles - basically a role namespace<br>
* Permissions - set of roles service accounts
members inherit<br>
* Scope - same as our current concept of scope<br>
* Protocol Policies - common protocol
configuration.<br>
<br>
Each Client Group would have some default roles
defined. i.e. roles<br>
that allow a user to edit any client in the client
group.<br>
<br>
Each Client would have the same configuration
options. They would be<br>
able to have an additional set of roles,
permissions, scope, and<br>
overridable Protocol Policies.<br>
<span><font color="#888888"><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a moz-do-not-send="true"
href="http://bill.burkecentral.com"
rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</body>
</html>