----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 5 February, 2014 1:24:24 PM
Subject: Re: [keycloak-dev] composite roles in
On 2/5/2014 6:57 AM, Stian Thorgersen wrote:
> Instead of allowing multiple default roles should we not have a single
> initial role on a realm? This means we can remove the default roles page,
> and instead have a simple select list on the realm settings page.
>
I'd also like to consolidate default roles into one place on Realm Settings.
Implementation wise, default roles wouldn't be a composite as I don't
want it showing up in role listings, or having to put in special logic
not to show it.
What I was thinking was that the default roles would be a single role. It could be a
composite role if the user wanted to. You simply select which role you want to use as the
default role that is assigned to all user when created.
This then lets you manage this role as a normal role, which means there's no special
logic or screens required for it. It's possible to add/remove this role to users,
apps, etc if you want to. And as its can be a composite role you can add/remove roles to
it if you want as well.
'Default roles' is confusing as well, is it not some initial roles granted users
when they are created?
> We could also have both a initial role and a default role associated with a
> realm. The initial role is provided to users when they register or are
> created through admin console, while the default role is always granted to
> all users.
>
I don't agree you need two different types here. What we really need is
the ability to apply bulk changes to users.
Are there not situations where you have some roles that all logged-in users should have?
For example 'view-profile' would be an example of a role that all users should
have regardless.
Then again there's the situation where you want to have roles allocated to users when
they register, but you may want to remove those later. I'm not sure I'm that
convinced about this use-case, but both you and Marek argued this would be needed. Reason
why I'm unsure about it, is that if a user self-registers, then looses some
registration roles the user can simply re-register to gain those permissions again.
> When listing and selecting roles it would be good if there was some
> indication if it's a composite role or a simple role.
>
Ok, i'll add that.
> Editing the roles is a bit confusing as the "Composite Realm Roles" and
> "Composite Application Roles" sections are always shown. It was more
clear
> when there was a "composite" on/off toggle.
Having a toggle at the Representation and data model was annoying,
specifically having to specify composite: true in the json import file.
I forgot it twice when writing the tests :)
So, i'll add the on/off toggle just to show/hide the composite field sets.
> Also, can we have composite app roles? If so can a composite app role
> consist of roles for other apps and realm?
>
Apps or realms can have composite roles. These composites can be made
up of any realm or app role. Does the app-role screen not allow
composites, not work?
This doesn't make sense to me. Why can you have an app specific role that can be made
up of roles from other apps?
Can't do cross-realm composites.
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Tuesday, 4 February, 2014 11:46:04 PM
>> Subject: [keycloak-dev] composite roles in
>>
>> I still need to do a screencast (and eventually do some documentation).
>> I'm waiting on that as I want to see how our UI might change for the
>> next release. I had to change a bit in the import realm json
>> representation to support composites.
>>
>> I'm going to take a look at Stan's Wildfly subsystem work next and see
>> if it can be improved at all, or if its ready to go.
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>>
http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> .
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com