I would like to nail down what we want Groups to look like in Keycloak.
And also propose a separate RoleGroups structure.
* Groups have an id, name, and description
* Groups have an arbitrary set of name/value pair attributes
* Realm/Client roles can be associated with a Group. This is like a
UserRoleMapping, except it is a GroupRoleMapping.
* Groups can be members of one or more groups
* Users can be members of one or more groups
* Users inherit attributes of the groups they belong to.
* UserModel now has a getGroups(), hasGroup(), grantGroup(), deleteGroup()
* Similar to default roles, we also have default groups.
Features we probably want:
* Groups can have a set of protocol Mappers organized by protocol.
* Clients inherit protocol Mappers from the groups a user belongs to.
* Do we want to expand the concept of a Group so that clients and
identity brokers can belong to a Group? Or just create a separate
composite structure for this?
RoleGroups are just a namespace for Roles. I want to remove the concept
of realm level and client level roles and just have the concept of a
RoleGroup. The reasoning for this is that I've seen people ask for it.
They want to share a set of roles between clients and realm-level
roles might end up having name clashes, if you are following me.
* RoleGroups have an id, name and description.
* RoleGroups define a set of roles.
* Users are *NOT* members of RoleGroups
* For migration, a "realm" RoleGroup is created. a RoleGroup for each
client that has defined roles is created. The name will be the clientId
of the client.
* I want to deprecate the "use-resource-role-mappings" switch in the
* I want to deprecate the JWT extension we made for roles and have
something completely flat (like SAML) with a URI that identifies each
role (like in UMA spec).
* We will remove these deprecated features in the final cut of community
that we fork to move into product.
JBoss, a division of Red Hat