Re: [keycloak-dev] [authz] Roles as first class citizens

I think you are exploring now a new way of seeing things. Today we have a flexible permissioning model where you define independent policies to build these permissions or even build other policies. Where you may have a library of policies, reuse these policies across different permissions, etc. What you are proposing, if I understood correctly, and that is what I meant by the "new way of seeing things", is also allow users to create permissions more easily without necessarily having to create policies. In other words, we would be providing additional permission types (in addition to resource/scope) for some very common use cases like the one you mentioned where you just need a white/blacklist of roles. Does it make sense ? On Sat, Apr 1, 2017 at 10:11 AM, Bill Burke <bburke(a)redhat.com <mailto:bburke@redhat.com>> wrote: I find creating role policies as cumbersome. Also, how is the admin supposed to know if a policy with a specific role has already been created or not? Maybe policies can have DENY and PERMIT role lists. when creating permissions you can just pick roles to add/remove to the permission. I think the most used, most common case (90% of the time?) will be assigning role permissions to resources so we should make it as easy as possible. Both within the admin UI and APIs. Thoughts? Bill _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev>