From: "Vlastimil Elias" <velias(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Monday, 8 June, 2015 2:49:49 PM
Subject: Re: [keycloak-dev] How to assign new client default roles to existing users?
Thanks for the clarification of composite roles, I'll use it.
I agree that batch role updates in Admin GUI should be good solution,
and I understand resource constraint.
Cheers
Vlastimil
On 8.6.2015 14:31, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Vlastimil Elias" <velias(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Monday, 8 June, 2015 2:23:49 PM
>> Subject: Re: [keycloak-dev] How to assign new client default roles to
>> existing users?
>>
>> Nice workaround, thanks for the tip.
>> I though about it also, but I'm not able to assign this new composite
>> default role to all existing users still ;-)
> It's not a workaround, it's what we had in mind when we added default roles
> and composite roles ;)
>
>> So some of solutions for default roles as I proposed should be good.
> Neither of your two first proposals are required as using a composite
> default role gives the same result. What is required though is support for
> batch updates in admin console. We don't have resources to do that atm
> though. I'd suggest you create a default composite role. Then afterwards
> either use the rest api to add this to all existing users or directly
> update the db (it should be a relatively simple update).
>
>> Thanks
>>
>> Vlastimil
>>
>> On 8.6.2015 14:03, Stian Thorgersen wrote:
>>> ----- Original Message -----
>>>> From: "Vlastimil Elias" <velias(a)redhat.com>
>>>> To: keycloak-dev(a)lists.jboss.org
>>>> Sent: Monday, 8 June, 2015 1:54:11 PM
>>>> Subject: [keycloak-dev] How to assign new client default roles to
>>>> existing
>>>> users?
>>>>
>>>> Hi,
>>>>
>>>> we just found one admin use case which is not covered by existing
>>>> Keycloak
>>>> and its Admin GUI.
>>>>
>>>> When you create new Client later and define some default role/s for it,
>>>> then
>>>> there is not any way how to assign these roles to existing users.
>>>> Problem is that default roles are assigned to users in DB when they are
>>>> created. Then admin GUI allows to assign roles for one user only, not
>>>> too
>>>> useful when you have hundreds or thousands of users ;-)
>>>> Only workaround for now is to write script which uses REST API to
assign
>>>> new
>>>> default roles to all existing users.
>>>>
>>>> I see these possible solutions:
>>>>
>>>>
>>>> * do not assign default roles in DB when user is created, but
>>>> assign
>>>> them
>>>> dynamically when user roles are asked - possible cons of this
>>>> solution
>>>> is that it does not allow to remove default role from
>>>> concrete/selected
>>>> users
>>>> * keep default roles assignment into DB on user create, but
>>>> automatically
>>>> assign new default role to all existing users once it is defined
>>>> for
>>>> client
>>>> * keep default roles assignment into DB on user create, but add
>>>> some
>>>> manual bulk role assignment action into Admin GUI, which allows
>>>> admin
>>>> to
>>>> assign role to existing users.
>>>>
>>>> WDYT, which solution should be better?
>>> Or, create a composite role called 'default' and have this as the
only
>>> default role. Afterwards you can map new roles to this composite role and
>>> it'll be reflected for all users that have the 'default' role
assigned to
>>> them.
>>>
>>>> Cheers
>>>>
>>>> Vlastimil
>>>>
>>>> --
>>>> Vlastimil Elias
>>>> Principal Software Engineer
>>>>
jboss.org Development Team
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev(a)lists.jboss.org
>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> --
>> Vlastimil Elias
>> Principal Software Engineer
>>
jboss.org Development Team
>>
>>
--
Vlastimil Elias
Principal Software Engineer
jboss.org Development Team