Re: [keycloak-dev] roles vs. groups

On 11/4/2015 11:21 AM, Stan Silvert wrote: > On 11/4/2015 10:37 AM, Bill Burke wrote: >> On 11/4/2015 10:26 AM, Stan Silvert wrote: >>> On 11/4/2015 9:15 AM, Bill Burke wrote: >>>> I've alread stated the reason for composite roles: >>>> >>>> Say you have a set of applications under the Sales and Marketing >>>> Department: A Leads Application, Eloqua, and Salesforce. Each of the >>>> applications has a set of roles that are used to manage access to >>>> various features of each application. For example, each app might have >>>> an "admin" role. You would then want to organize permissions into >>>> categories and assign coarser grain roles to individual users. So, you >>>> would create a "Sales Admin" composite role that contains the "admin" >>>> role of each sales application. Composite roles allow you to group >>>> together roles into role catagories that you can assign to a specific >>>> user or user group. >>>> >>>> User Groups are different as you want to assign a set of permissions to >>>> a group of users. >>>> >>>> So composite roles are used to group together roles of a set of >>>> applications. User Groups are used to grant a set of perissions to a >>>> set of users. >>> Maybe it's just me, but I think of user groups as just a way to group >>> users, and roles as a way to group permissions. Roles are assigned to >>> user groups. Permissions are assigned to roles. >>> >> We dont' have the concept of a permission, so, assigning roles to a >> composite role is equivalent right now of assigning permissions to a role. > Isn't that what Pedro is working on right now? No. His is like: user in this group as write access to this document. This is just roles and sets of roles.