Re: [keycloak-dev] roles vs. groups

On 11/4/2015 10:37 AM, Bill Burke wrote: > > On 11/4/2015 10:26 AM, Stan Silvert wrote: >> On 11/4/2015 9:15 AM, Bill Burke wrote: >>> I've alread stated the reason for composite roles: >>> >>> Say you have a set of applications under the Sales and Marketing >>> Department: A Leads Application, Eloqua, and Salesforce. Each of the >>> applications has a set of roles that are used to manage access to >>> various features of each application. For example, each app might have >>> an "admin" role. You would then want to organize permissions into >>> categories and assign coarser grain roles to individual users. So, you >>> would create a "Sales Admin" composite role that contains the "admin" >>> role of each sales application. Composite roles allow you to group >>> together roles into role catagories that you can assign to a specific >>> user or user group. >>> >>> User Groups are different as you want to assign a set of permissions to >>> a group of users. >>> >>> So composite roles are used to group together roles of a set of >>> applications. User Groups are used to grant a set of perissions to a >>> set of users. >> Maybe it's just me, but I think of user groups as just a way to group >> users, and roles as a way to group permissions. Roles are assigned to >> user groups. Permissions are assigned to roles. >> > We dont' have the concept of a permission, so, assigning roles to a > composite role is equivalent right now of assigning permissions to a role. Isn't that what Pedro is working on right now?