Another use case could be supporting segregation of duties (SoD). A role
could list a set of mutual exclusive roles that cannot be assigned to a
user at the same time.
Schuster Sebastian (INST/ESY1) <Sebastian.Schuster(a)bosch-si.com> schrieb am
Mi., 25. Juli 2018, 17:03:
We also have the same requirements but would use it mostly for role
metadata. This would not be used in a token but for thinks like after
assigning a role to a user sending an email to the person responsible for
that role. This is required for compliance reasons. We would strongly
prefer to store this data in Keycloak as custom role attributes instead of
maintaining it somewhere else...
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
GERMANY |
www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
Sebastian.Schuster(a)bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
Stefan Ferber, Michael Hahn
-----Original Message-----
From: keycloak-dev-bounces(a)lists.jboss.org <
keycloak-dev-bounces(a)lists.jboss.org> On Behalf Of Stian Thorgersen
Sent: Montag, 16. Juli 2018 20:27
To: Sebastian.Loesch(a)governikus.de
Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org>
Subject: Re: [keycloak-dev] Introduce role attributes
I don't think we should add attributes to roles. It would introduce
complexity and also potentially have performance/memory impacts.
I also struggle to see how you would use attributes associated with roles.
Are you thinking that would be mapped into the token together with the
role name?
On Tue, 3 Jul 2018 at 07:37, Lösch, Sebastian <
Sebastian.Loesch(a)governikus.de> wrote:
> Hi developers,
>
> we are currently setting up a project using keycloak and need to model:
> - representative roles, i.e. roles that are given temporarily from one
> user to another e.g. in holiday times
> - roles contain entitlements on business objects
>
> The current role object in keycloak is not sufficent for our use cases.
> Searching for a solution I stumbled over
>
https://issues.jboss.org/browse/KEYCLOAK-961
> Introducing role attributes would solve my challenges. Also this fits
> well in the keycloak data model, as there are already user attributes,
> group attributes, realm attributes.
>
> So I would like to add role attributes to keycloak in the style of
> group attributes.
> What do you think?
>
> Best regards,
> Sebastian
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev