Let's supose, you have a group called "GroupA", that group have roles
"Create invoice" this has 13 permisions, "Remove invoice" this has 5
permisions, "Update invoice" this has 19 permisions...
I asign 25 users to Group A, but 2 users, should not have 3 permisions
that are different in both users, should I need to create "GroupB" and
"GroupC" with the exact permissions, just to handle this 3 permisions
exclusions?
It probably can be a little overkill, but IHMO is more flexible than
an all or nothing approach.
Jorge Solórzano
On Tue, Nov 3, 2015 at 4:13 PM, Pedro Igor Silva <psilva(a)redhat.com> wrote:
----- Original Message -----
> From: "Jorge Solórzano" <jorsol(a)gmail.com>
> To: "Bill Burke" <bburke(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Tuesday, November 3, 2015 7:33:07 PM
> Subject: Re: [keycloak-dev] roles vs. groups
>
> I think the concepts should be standardized:
>
> Permissions: are the most atomic level of a security policy and they
> are statements of functionality. Can you open a door? Can you read a
> file? Can you delete a customer record? Can you push a button?
>
> Roles: are effectively a collection of permissions used to simplify
> the management of permissions and users. So users can be assigned
> roles instead of being assigned permissions directly, which can get
> complicated with larger user bases and more complex applications. So,
> for example, a bank application might have an administrator role or a
> bank teller role.
>
> Users: A user is the "who" of an application.
>
> Groups: Is a collection of users and define a set of roles/permisions,
> users are members of groups.
>
> The asociation for me is something like this:
> Groups can have Roles and/or Permisions asociated to it.
> User can have Roles and Permisions and can be members of Groups, by
> inheritance users that are members of groups have all the permisions
> asociated to the groups.
> Roles can have one ore more permissions, this are explicit permisions.
>
> There should be deny permisions too.
Don't you think that positive logic is enough ?
>
>
> Jorge Solórzano
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev