[keycloak-user] Keycloak to set up Teams and Organizations
Nic Grange
nicolas.grange at retrievercommunications.com
Wed Oct 14 19:06:01 EDT 2015
>From my understanding Realms allow Keycloak itself to be Multi Tenant, completely isolated Tenants.
Adding Groups (or Teams/Organisations) would make it easier for Applications leveraging Keycloak to be Multi Tenanted themselves (within a Realm). While some people seem to be using Composite roles with great affect, it is probably not what they were intended for.
The biggest benefit of Groups I see is being able to link groups of users to specific data so that their role only applies to that data and not to everything in the system/application (e.g. A Group Admin role allows a user permission to administrator only data created/owned by users in that group).
Cheers,
Nic
>Date: Wed, 14 Oct 2015 11:35:38 -0400
>From: Bill Burke <bburke at redhat.com>
>Subject: Re: [keycloak-user] Keycloak to set up Teams and
> Organizations
>To: keycloak-user at lists.jboss.org
>Message-ID: <561E764A.4030706 at redhat.com>
>Content-Type: text/plain; charset=windows-1252; format=flowed
>
>That's just not how keycloak was designed.
>
>Realms contain users, applications/clients, roles, groups etc. Realms
>were meant to be completely isolated from one another.
>
>On 10/14/2015 10:53 AM, Tim Dudgeon wrote:
>> The use case for me is to use multiple realms for authentication (e.g.
>> one realm for each organisation) that can access a single application
>> using a common set of roles.
>> Its sort of discussed from a different perspective on the apiman list here:
>> http://lists.jboss.org/pipermail/apiman-user/2015-October/000361.html
>>
>> Tim
>>
>> On 14/10/2015 15:34, Bill Burke wrote:
>>> No, we are not creatin "global" groups and roles. use case please?.
>>> We're trying to keep realms isolated from one another.
>>>
>>> On 10/14/2015 7:29 AM, Tim Dudgeon wrote:
>>>> The scope of this is presumably groups within an individual realm?
>>>> Is there any possibility for "global" groups and roles that can span
>>>> multiple realms?
>>>>
>>>> Tim
>>>>
>>>> On 13/10/2015 17:18, Bill Burke wrote:
>>>>> You just want something like github groups? List your requirements.
More information about the keycloak-user
mailing list