for a use case I need to support segregation of duties across multiple
Segregation of Duties (SoD) is a mechanisms that prevents
much power in the hands of a single person. It places a constraints
of entitlements to users. For example SoD may prevent a single user
request and also approve it.
Have you already considered adding this feature?
In the context of Keycloak this would mean to specify that two roles are
mutually exclusive determined based on the overall effective roles of
a user - the same may to service accounts.
Issue is here:
Some thoughts about adding that to Keycloak.
Support for “Segregation of Duties” (SoD) for a realm could be controlled
an on/off switch.
If SoD is enabled an administrator can select a set of roles which are then
as mutually exclusive to the given role when creating or updating a role.
Mutually exclusive roles could be stored as a pair of role1:role2 (with
their ids) in a table
like e.g. keycloak_roles_mutex or keycloak_roles_sod.
If role1 is mutually exclusive to role2 then role2 is mutually exclusive to
Creating / Updating a Role with SoD
When creating a new or editing an existing role (role1), an administrator
could configure SoD by specifying a list of roles that are mutually
to the current role (e.g. role2) -> perhaps called “Segregation of Duty
Validating a role assignment with SoD
When assigning a role to a user, keycloak would check if the given role
combined with any effective role of a user matches a registered pair in the
If this is the case the assignment would be rejected with an error, perhaps
which roles cause the conflict. Otherwise the role can be assigned.
Same would apply to roles added to groups when a user wants to join a group.
Special Case: Updating a Role with SoD
When configuring SoD for an existing role it might happen that there exists
user role mapping with an then invalid configuration. In that case an SoD
enabled for the given role until the conflicting role mappings are cleared.
Until Keycloak provides a way to inspect granted and effective roles
assigned to a user
in more detail users would need to fall back to database queries to find
user role mappings.
Removing a Role with SoD configuration
When a role is removed and it had SoD roles configured those mappings must
be removed as well.