Re: [keycloak-dev] groups vs. organizations
On 8/3/2015 1:40 PM, Scott Rehorn wrote:
Here's a possible summary:
Groups:
* have names
* can contain other groups
* can carry a 'schema' which represent available attributes (more generally,
claims)
* support mapping and aggregation from IdP-defined groups
* can be assigned roles
So user in a group gets that group's attributes, role associations, sub-group's
role associations, sub-group's attributes.
Can you define "support mapping and aggregation from IdP-defined
groups"? Wouldn't this be something configured at each IDP rather than
in a group? The IDP would define a mapper that looked at some claim,
then associate the user with a Keycloak defined group based on the
claim...right?
I was also thinking that we might remove client roles and just move them
to groups. Migration would be that a group is created for each client
that has a set of roles defined. We have a few users that want to share
a set of roles between different clients.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com