Re: [keycloak-dev] user group admins

On 11/5/2015 1:53 PM, Stian Thorgersen wrote: I don't think it is confusing, but it may be overloading the concept of a group. An organization is just a namespace for roles and clients? As well as a subset of realm users? I like clients to be able to have their own role namespace as you have a very clear definition of how the client is defined. This client lives at this URL, has these mappers, and publishes/provides these roles and permissions. Same for User Groups: This "User Group" has a set of default permissions. As well as a defined set of roles. An "employee" or "manager" in "Accounting" would have different permissions than a "employee" or "manager" within "Engineering". With separate role namespaces you have no clear idea what roles are important to which clients and users. Without a master realm, you have to figure out the chicken and egg problem. How do you create a new realm? How do you manage that new realm? How can you manage more than one realm with one login? Red Hat IT has a need for two separate realms. One for employees and one for customers. Will they have to have two separate admin accounts on each realm to manage them? Our URL scheme is already like this. You can log into a specific admin console for a specific realm. The "issue" (depending on your perspective) is that the admin REST interface allows you to interact with any realm. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com