<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Define "tenant" and what it accomplishes and how you are using
tiers to implement this functionality and I might be able to help.<br>
</p>
<br>
<div class="moz-cite-prefix">On 7/20/16 2:41 PM, Keith Dev wrote:<br>
</div>
<blockquote
cite="mid:CA+e59AEcfkvL3ns_BTLECRbSK_5TLkb-faNAL_Ur_HDq=3X3=A@mail.gmail.com"
type="cite">
<div dir="ltr">I'm moving a web application with REST services
from Picketlink to Keycloak. This is a multi-tentant application
(1k+ tenants) where single user accounts can belong to multiple
tenants. In Picketlink, this was accomplished using Tiers. So
there is a single realm, but one Tier per tenant. Its not clear
what the analog is in Keycloak.
<div><br>
</div>
<div>We considered multiple realms, but both the number of
tenants and the hard requirement to allow a single user cross
tenants seems to make this a nonstarter.<br>
<div><br>
</div>
<div>The best idea we have so far is to have a single realm,
but create namespaced security artifacts: e.g.
Tenant1.Admins. This is not ideal as we were hoping for more
separation between tenants. I did see <a
moz-do-not-send="true"
href="http://lists.jboss.org/pipermail/keycloak-dev/2013-July/000116.html">this</a> which
suggests that Picketlink Tiers equate to Resources, but its
not clear how. Certainly there does not seem to be any
separation of security artifacts within a Resource per se.</div>
<div><br>
</div>
<div>Advice?</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>