[keycloak-user] Relationship of Groups to Roles?

Bill Burke bburke at redhat.com
Thu Dec 10 15:50:06 EST 2015 

I'm sure people will confuse Groups and Roles.  Groups in LDAP generally 
seem to be equivalent to Roles in Java EE.  But that's not the case in 
keycloak

Roles in Keycloak are similar to Java EE roles.  Users are granted a 
role, and become members of a Group.  Groups in Keycloak are a 
collection of users.  Groups can have roles and attributes assigned to 
them that user members inherit.

Clients/Applications work with roles, not with groups.   Applications 
assign privileges to roles, not users or groups.  Keycloak currently 
does not have the concept of Permissions/Entitlements.  Applications 
have to handle how privileges are assigned to a role themselves.

On 12/10/2015 3:33 PM, Marc Boorshtein wrote:
> I'm trying to wrap my head around the use cases where each would be
> used.  If I understand it correctly, a role a unit of authorization.
> Roles can have entitlements, either defined by Keycloak or an
> application.  A role can have other roles as members.  It can also
> have groups and individual users.  Groups aren't directly linked to
> entitlements, but are instead used to simply create a way to create a
> set of users (and groups).  Is this an accurate representation?
>
> I ask because I want to build some integrations between OpenUnison and
> MyVirtualDirectory.  Both work primarily on the LDAP concepts of
> users, groups and users.  Beyond SSO integration between OpenUnison
> and Keycloak, I'm looking at creating a provisioning target so
> OpenUnison workflows can provision access to Keycloak roles  as well
> as an insert for MyVirtualDirectory that can represent Keycloak roles
> and users as LDAP Objects for legacy applications.
>
> Thanks
>
>
> Marc Boorshtein
> CTO Tremolo Security
> marc.boorshtein at tremolosecurity.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list