We have a use case where we would like to store additional meta-information for roles.
This come from our IAM-requirements, that say there is a single responsible person for a
role or that roles give access to data with different classifications. One way to store
this kind of information would be to introduce role attributes to client and realm roles,
basically similar to user or group attributes.
For us, it would be sufficient to have this information purely as metadata, i.e. we would
only read it through the audit log to inform the responsible person about role assignments
if a role with a certain classification is assigned. In contrast to that, you can add
group und user attributes to a token using user attribute mappers and the client
application can extract this information from the token and act on it.
WDYT? Does anybody else have similar requirements? Would you need role custom attributes
also in the token? I can imagine that it gets kind of difficult to identify where
attributes come from, once there are user, group, and role attributes, possibly with
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY |
Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,