<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Calibri" size="2"><span style="font-size:11pt;">
<div>Dear all,</div>
<div> </div>
<div>I’ve a question regarding the User Storage Federation (<a href="https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/user-federation.html"><font color="blue"><u>https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/user-federation.html</u></font></a>)
with respect of LDAP as external user database and the available mappers.</div>
<div> </div>
<div><b>Current situation:</b></div>
<div>Right now I’m able to map roles assigned to users and defined in LDAP to Keycloak with the existing Role Mapper. e.g. Administrator/User role for a specific application</div>
<div> </div>
<div>The JWT output contains then a section like this:</div>
<div> </div>
<div>"resource_access": {</div>
<div> "myApp": {</div>
<div> "roles": [</div>
<div> "Administrator"</div>
<div> ]</div>
<div> }</div>
<div> </div>
<div> </div>
<div><b>Desired solution:</b></div>
<div>Is it <u>out of the box</u> possible to use the existing Role Mapper as described in chapter <a href="https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/user-federation/ldap.html"><font color="blue"><u>https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/user-federation/ldap.html</u></font></a>
to map composite roles defined in Keycloak to LDAP? </div>
<div>The thing is I want in the end to define <u>composite roles</u><u> in LDAP</u> to collect finer user rights for certain “container” roles - like Users, Editors, Administrator – and map them to Keycloak and respectively the finer grained rights to provide
the granted user rights in the JWT. </div>
<div> </div>
<div>e.g.</div>
<div>Rights/Roles:</div>
<ul style="margin:0;padding-left:36pt;">
<li>read page</li><li>edit page</li><li>delete page</li><li>create page</li></ul>
<div> </div>
<div>Composite Roles:</div>
<ul style="margin:0;padding-left:36pt;">
<li>User = {read page}</li><li>Editor = {read page, create page, edit page}</li><li>Administrator = {read page, delete page}</li></ul>
<div> </div>
<div> </div>
<div>The final result in the JWT should then contain a section something like where the composite role is automatically resolved with the more specific single rights:</div>
<div> </div>
<div>"resource_access": {</div>
<div> "myApp": {</div>
<div> "roles": [</div>
<div> "read page",</div>
<div> "delete page"</div>
<div> ]</div>
<div> }</div>
<div> </div>
<div>Or is Keycloak designed in that way that the finer rights can be stored in LDAP but the composition is afterwards done in Keycloak?</div>
<div> </div>
<div>Thanks,</div>
<div>Christian</div>
<div> </div>
</span></font>
</body>
</html>