[keycloak-user] Relationship of Groups to Roles?

Giovanni Baruzzi giovanni.baruzzi at syntlogo.de
Mon Jan 4 06:23:47 EST 2016 

I’m very glad about the discussion here about roles and groups, since
granting access to user is the core of access management.
This said, we had been forced to look forward the group object 8or a similar
role object) to managing access entitlements because these run out of gas at
about 100.000 users and we are targeting millions of users.
We had even to go further on the „role“: the current definition describe an
entitlement just with the name of a role (or a group) and we needed
something more.

At the end we come up with a simple concept.

1. the Roles are modeled by an attribute  in the user object itself. Of
course the Attribute is multivalued. This gives us the capability to
retrieve all the needed information with a single LDAP operation. No more
group search, cascading groups: which are cumbersome and time consuming.
2. This Attribute contains a structured value of the type:
<realm><client><role><parameter>. WE are playing with the idea to store this
in a son structure. In the future, given the sensitivity of the  access, we
may think to have this signed (like in a JWT), to ensure reliability of the
information.
3. A separate identity management system will take care of the management of
this attribute, AMS has only the task to pass over the values to the
application.

We are going to implement that with our resources, extending KeyCloak where
needed, but I would like to share this ideas to  have an open discussion on
this. 
Further it would be nice to see some aspects of this implemented in
KeyCloak. We may decide to share the code.

Regards,
Giovanni
 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/bd4e1fe7/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5133 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/bd4e1fe7/attachment-0001.bin

More information about the keycloak-user mailing list