3:04 p.m.
Stian and I were having a conversation about roles, keycloak composite
roles, vs. groups. It seems that groups and roles are often confused
and one can be equivalent to the other. One common thread is the following:
Groups are user centric. Roles are permission centric.
"A group is a means of organising users, whereas a role is usually a
means of organising rights."
So, keycloak composite roles would be a way to organise rights for a set
of applications. For example, you might have a set of sales services,
each sales service has an "admin" and "user" role. You'd define a
"sales user" and "sales admin" role which would be a composite
containing the "admin" and/or "user" role of each sales service.
Conversely, a keycloak group would provide a way to organize a set of
users. You would create a group called "sales associates" add members
to it and then assign the roles members of the group can partake.
Really, in Keycloak with composite roles, you can have a role act as a
group. So, while groups and roles are logically the sameAdding the
concept of a group though provides distinction and clarity without
overloading the concept of a composite.
So, given that, Role mapping tab for Groups and Users would be named
"Permissions" instead of "Role Mappings". Each role would have a
"Rights" tab instead of the "Composite Role" concept we have now.
That
might bring more clarity? Or will it just confuse concepts that are
going to be introduced by Pedro and his Authz stuff?
I'm also thinking that a Groups and Role Namespaces could be combined.
So a group would have a set of "Permissions" (role mappings) that are
automatically granted to user members. The group could also define a
set of "Roles" that apply to this group. So "Sales" could have a
"Manager" role. This "Manager" role would be a composite role that
assigns additional permissions. This would also allow us to define
default roles for
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3:08 p.m.
On 11/3/2015 4:04 PM, Bill Burke wrote:
Stian and I were having a conversation about roles, keycloak
composite
roles, vs. groups. It seems that groups and roles are often confused
and one can be equivalent to the other. One common thread is the following:
Groups are user centric. Roles are permission centric.
"A group is a means of organising users, whereas a role is usually a
means of organising rights."
So, keycloak composite roles would be a way to organise rights for a set
of applications. For example, you might have a set of sales services,
each sales service has an "admin" and "user" role. You'd define
a
"sales user" and "sales admin" role which would be a composite
containing the "admin" and/or "user" role of each sales service.
Conversely, a keycloak group would provide a way to organize a set of
users. You would create a group called "sales associates" add members
to it and then assign the roles members of the group can partake.
Really, in Keycloak with composite roles, you can have a role act as a
group. So, while groups and roles are logically the sameAdding the
concept of a group though provides distinction and clarity without
overloading the concept of a composite.
So, given that, Role mapping tab for Groups and Users would be named
"Permissions" instead of "Role Mappings". Each role would have a
"Rights" tab instead of the "Composite Role" concept we have now.
That
might bring more clarity? Or will it just confuse concepts that are
going to be introduced by Pedro and his Authz stuff?
I'm also thinking that a Groups and Role Namespaces could be combined.
So a group would have a set of "Permissions" (role mappings) that are
automatically granted to user members. The group could also define a
set of "Roles" that apply to this group. So "Sales" could have a
"Manager" role. This "Manager" role would be a composite role that
assigns additional permissions. This would also allow us to define
default roles for
Whoops, I didn't finish....
Combining Groups and Role Namespaces would allow us to define built in
roles for the Group that when assigned would allow management of the
members of the group.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3:33 p.m.
I think the concepts should be standardized:
Permissions: are the most atomic level of a security policy and they
are statements of functionality. Can you open a door? Can you read a
file? Can you delete a customer record? Can you push a button?
Roles: are effectively a collection of permissions used to simplify
the management of permissions and users. So users can be assigned
roles instead of being assigned permissions directly, which can get
complicated with larger user bases and more complex applications. So,
for example, a bank application might have an administrator role or a
bank teller role.
Users: A user is the "who" of an application.
Groups: Is a collection of users and define a set of roles/permisions,
users are members of groups.
The asociation for me is something like this:
Groups can have Roles and/or Permisions asociated to it.
User can have Roles and Permisions and can be members of Groups, by
inheritance users that are members of groups have all the permisions
asociated to the groups.
Roles can have one ore more permissions, this are explicit permisions.
There should be deny permisions too.
Jorge Solórzano
4:13 p.m.
----- Original Message -----
From: "Jorge Solórzano" <jorsol(a)gmail.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, November 3, 2015 7:33:07 PM
Subject: Re: [keycloak-dev] roles vs. groups
I think the concepts should be standardized:
Permissions: are the most atomic level of a security policy and they
are statements of functionality. Can you open a door? Can you read a
file? Can you delete a customer record? Can you push a button?
Roles: are effectively a collection of permissions used to simplify
the management of permissions and users. So users can be assigned
roles instead of being assigned permissions directly, which can get
complicated with larger user bases and more complex applications. So,
for example, a bank application might have an administrator role or a
bank teller role.
Users: A user is the "who" of an application.
Groups: Is a collection of users and define a set of roles/permisions,
users are members of groups.
The asociation for me is something like this:
Groups can have Roles and/or Permisions asociated to it.
User can have Roles and Permisions and can be members of Groups, by
inheritance users that are members of groups have all the permisions
asociated to the groups.
Roles can have one ore more permissions, this are explicit permisions.
There should be deny permisions too.
Don't you think that positive logic is enough ?
Jorge Solórzano
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
6:02 p.m.
Let's supose, you have a group called "GroupA", that group have roles
"Create invoice" this has 13 permisions, "Remove invoice" this has 5
permisions, "Update invoice" this has 19 permisions...
I asign 25 users to Group A, but 2 users, should not have 3 permisions
that are different in both users, should I need to create "GroupB" and
"GroupC" with the exact permissions, just to handle this 3 permisions
exclusions?
It probably can be a little overkill, but IHMO is more flexible than
an all or nothing approach.
Jorge Solórzano
On Tue, Nov 3, 2015 at 4:13 PM, Pedro Igor Silva <psilva(a)redhat.com> wrote:
----- Original Message -----
> From: "Jorge Solórzano" <jorsol(a)gmail.com>
> To: "Bill Burke" <bburke(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Tuesday, November 3, 2015 7:33:07 PM
> Subject: Re: [keycloak-dev] roles vs. groups
>
> I think the concepts should be standardized:
>
> Permissions: are the most atomic level of a security policy and they
> are statements of functionality. Can you open a door? Can you read a
> file? Can you delete a customer record? Can you push a button?
>
> Roles: are effectively a collection of permissions used to simplify
> the management of permissions and users. So users can be assigned
> roles instead of being assigned permissions directly, which can get
> complicated with larger user bases and more complex applications. So,
> for example, a bank application might have an administrator role or a
> bank teller role.
>
> Users: A user is the "who" of an application.
>
> Groups: Is a collection of users and define a set of roles/permisions,
> users are members of groups.
>
> The asociation for me is something like this:
> Groups can have Roles and/or Permisions asociated to it.
> User can have Roles and Permisions and can be members of Groups, by
> inheritance users that are members of groups have all the permisions
> asociated to the groups.
> Roles can have one ore more permissions, this are explicit permisions.
>
> There should be deny permisions too.
Don't you think that positive logic is enough ?
>
>
> Jorge Solórzano
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
6:46 a.m.
Let's supose, you have a group called "GroupA", that group have roles
"Create invoice" this has 13 permisions, "Remove invoice" this has 5
permisions, "Update invoice" this has 19 permisions...
I asign 25 users to Group A, but 2 users, should not have 3 permisions
that are different in both users, should I need to create "GroupB" and
"GroupC" with the exact permissions, just to handle this 3 permisions
exclusions?
It probably can be a little overkill, but IHMO is more flexible than
an all or nothing approach.
I see your point. However, IMO, when you start to use negatives you may end up with
something more complicate and hard to follow.
What I meant by positive logic is not an all or nothing approach, but use positives
permissions and play with them to match your requirements.
For instance, we are developing some additional authorization features to Keycloak. There
you can define a set of policies that rule access to your resources based on different
type of access control mechanisms: rbac, contextual/risk-based, abac, user-based, etc.
Policies can be applied to a resource type, resource instance, a specific scope (eg.:
create, remove, delete, etc) or a combination of them. Policies are also independent of
each other and can be reused and combined in different ways to actually define and enforce
authorization for a given resource/scope.
Considering you scenario, you would have something like that:
- Only Group A Policy (defines that all members of Group A can *do something*)
- Resource X Policy (here we are telling what Group A can do. In this case, access
Resource X and any of its scopes)
- Applies Only Group A Policy
You can also have something like:
- Only Group A Policy (defines that all members of Group A can *do something*)
- Create Invoice Policy (here we're telling that Group A can access a specific
scope.)
- Applies Only Group A Policy
Now, if you want specific policies for some of your users, you can do something like:
- Exceptional Y Policy (which can define a specific user, role, group, any contextual
information like current time or authentication method)
- Create Invoice Policy
- Applies Only Group A Policy
- Applies Exceptional Y Policy
That will provide flexible policies, make them more meaningful and easy to
follow/understand. We are considering protect resources as important assets within an
organization, which should be ruled by a set of policies that must be applied before
accessing them.
I would appreciate if you could provide some more info about your use case. Right now
I'm writing some examples and would be nice to check how your requirements can be
addressed (or not :)) with what we did so far.
Thanks.
Pedro Igor
7:43 a.m.
First, +1 to adding groups and permissions, because that's what our
users expect to see.
I'm going to go ahead and say what I was hoping to say last night. It's
hard to visualize this stuff without seeing diagrams, but I'm wondering
if we still need composites. That is, once we have groups, roles, and
permissions, do composites really solve something that can't be done as
easily or better with the groups, roles, and permissions?
Composites have been a point of confusion. I can remember when I first
started working with Keycloak that it took awhile to get comfortable
with composites. I think that's the reaction our users are having as
well. From a technical standpoint, they are very powerful. But that's
not readily apparent to a lot of people, which is why users are always
asking for groups. Perhaps we should give up some technical elegance
for something that's easier to understand.
If composites are only there for convenience, I'd say get rid of them.
IMO, we should favor something that's easy to understand and still gets
the job done. (As a bonus, simpler data structures are easier to deal
with as we add new features!)
On 11/4/2015 7:46 AM, Pedro Igor Silva wrote:
> Let's supose, you have a group called "GroupA",
that group have roles
> "Create invoice" this has 13 permisions, "Remove invoice" this
has 5
> permisions, "Update invoice" this has 19 permisions...
>
> I asign 25 users to Group A, but 2 users, should not have 3 permisions
> that are different in both users, should I need to create "GroupB" and
> "GroupC" with the exact permissions, just to handle this 3 permisions
> exclusions?
>
> It probably can be a little overkill, but IHMO is more flexible than
> an all or nothing approach.
>
I see your point. However, IMO, when you start to use negatives you may end up with
something more complicate and hard to follow.
What I meant by positive logic is not an all or nothing approach, but use positives
permissions and play with them to match your requirements.
For instance, we are developing some additional authorization features to Keycloak. There
you can define a set of policies that rule access to your resources based on different
type of access control mechanisms: rbac, contextual/risk-based, abac, user-based, etc.
Policies can be applied to a resource type, resource instance, a specific scope (eg.:
create, remove, delete, etc) or a combination of them. Policies are also independent of
each other and can be reused and combined in different ways to actually define and enforce
authorization for a given resource/scope.
Considering you scenario, you would have something like that:
- Only Group A Policy (defines that all members of Group A can *do something*)
- Resource X Policy (here we are telling what Group A can do. In this case, access
Resource X and any of its scopes)
- Applies Only Group A Policy
You can also have something like:
- Only Group A Policy (defines that all members of Group A can *do something*)
- Create Invoice Policy (here we're telling that Group A can access a specific
scope.)
- Applies Only Group A Policy
Now, if you want specific policies for some of your users, you can do something like:
- Exceptional Y Policy (which can define a specific user, role, group, any
contextual information like current time or authentication method)
- Create Invoice Policy
- Applies Only Group A Policy
- Applies Exceptional Y Policy
That will provide flexible policies, make them more meaningful and easy to
follow/understand. We are considering protect resources as important assets within an
organization, which should be ruled by a set of policies that must be applied before
accessing them.
I would appreciate if you could provide some more info about your use case. Right now
I'm writing some examples and would be nice to check how your requirements can be
addressed (or not :)) with what we did so far.
Thanks.
Pedro Igor
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:15 a.m.
I've alread stated the reason for composite roles:
Say you have a set of applications under the Sales and Marketing
Department: A Leads Application, Eloqua, and Salesforce. Each of the
applications has a set of roles that are used to manage access to
various features of each application. For example, each app might have
an "admin" role. You would then want to organize permissions into
categories and assign coarser grain roles to individual users. So, you
would create a "Sales Admin" composite role that contains the "admin"
role of each sales application. Composite roles allow you to group
together roles into role catagories that you can assign to a specific
user or user group.
User Groups are different as you want to assign a set of permissions to
a group of users.
So composite roles are used to group together roles of a set of
applications. User Groups are used to grant a set of perissions to a
set of users.
On 11/4/2015 8:43 AM, Stan Silvert wrote:
First, +1 to adding groups and permissions, because that's what
our
users expect to see.
I'm going to go ahead and say what I was hoping to say last night. It's
hard to visualize this stuff without seeing diagrams, but I'm wondering
if we still need composites. That is, once we have groups, roles, and
permissions, do composites really solve something that can't be done as
easily or better with the groups, roles, and permissions?
Composites have been a point of confusion. I can remember when I first
started working with Keycloak that it took awhile to get comfortable
with composites. I think that's the reaction our users are having as
well. From a technical standpoint, they are very powerful. But that's
not readily apparent to a lot of people, which is why users are always
asking for groups. Perhaps we should give up some technical elegance
for something that's easier to understand.
If composites are only there for convenience, I'd say get rid of them.
IMO, we should favor something that's easy to understand and still gets
the job done. (As a bonus, simpler data structures are easier to deal
with as we add new features!)
On 11/4/2015 7:46 AM, Pedro Igor Silva wrote:
>> Let's supose, you have a group called "GroupA", that group have
roles
>> "Create invoice" this has 13 permisions, "Remove invoice"
this has 5
>> permisions, "Update invoice" this has 19 permisions...
>>
>> I asign 25 users to Group A, but 2 users, should not have 3 permisions
>> that are different in both users, should I need to create "GroupB" and
>> "GroupC" with the exact permissions, just to handle this 3 permisions
>> exclusions?
>>
>> It probably can be a little overkill, but IHMO is more flexible than
>> an all or nothing approach.
>>
> I see your point. However, IMO, when you start to use negatives you may end up with
something more complicate and hard to follow.
>
> What I meant by positive logic is not an all or nothing approach, but use positives
permissions and play with them to match your requirements.
>
> For instance, we are developing some additional authorization features to Keycloak.
There you can define a set of policies that rule access to your resources based on
different type of access control mechanisms: rbac, contextual/risk-based, abac,
user-based, etc.
>
> Policies can be applied to a resource type, resource instance, a specific scope (eg.:
create, remove, delete, etc) or a combination of them. Policies are also independent of
each other and can be reused and combined in different ways to actually define and enforce
authorization for a given resource/scope.
>
> Considering you scenario, you would have something like that:
>
> - Only Group A Policy (defines that all members of Group A can *do something*)
> - Resource X Policy (here we are telling what Group A can do. In this case,
access Resource X and any of its scopes)
> - Applies Only Group A Policy
>
> You can also have something like:
>
> - Only Group A Policy (defines that all members of Group A can *do something*)
> - Create Invoice Policy (here we're telling that Group A can access a
specific scope.)
> - Applies Only Group A Policy
>
> Now, if you want specific policies for some of your users, you can do something
like:
>
> - Exceptional Y Policy (which can define a specific user, role, group, any
contextual information like current time or authentication method)
> - Create Invoice Policy
> - Applies Only Group A Policy
> - Applies Exceptional Y Policy
>
> That will provide flexible policies, make them more meaningful and easy to
follow/understand. We are considering protect resources as important assets within an
organization, which should be ruled by a set of policies that must be applied before
accessing them.
>
> I would appreciate if you could provide some more info about your use case. Right now
I'm writing some examples and would be nice to check how your requirements can be
addressed (or not :)) with what we did so far.
>
> Thanks.
> Pedro Igor
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:26 a.m.
On 11/4/2015 9:15 AM, Bill Burke wrote:
I've alread stated the reason for composite roles:
Say you have a set of applications under the Sales and Marketing
Department: A Leads Application, Eloqua, and Salesforce. Each of the
applications has a set of roles that are used to manage access to
various features of each application. For example, each app might have
an "admin" role. You would then want to organize permissions into
categories and assign coarser grain roles to individual users. So, you
would create a "Sales Admin" composite role that contains the
"admin"
role of each sales application. Composite roles allow you to group
together roles into role catagories that you can assign to a specific
user or user group.
User Groups are different as you want to assign a set of permissions to
a group of users.
So composite roles are used to group together roles of a set of
applications. User Groups are used to grant a set of perissions to a
set of users.
Maybe it's just me, but I think of user groups as just a way to
group
users, and roles as a way to group permissions. Roles are assigned to
user groups. Permissions are assigned to roles.
I don't see why you need anything more. In your example, each
application has an admin role that has a set of permissions for the
application. Each admin role can be assigned to a Sales Admin user
group. Sales Admin users are assigned to the Sales Admin user group.
Done.
User Groups, Roles, and Permissions are common concepts. Are there
other systems that use composite roles? I honestly don't know the
answer, but I'm pressing on this point right now because I don't want us
to be stuck with a concept that users don't readily understand and has
not been found to be useful elsewhere.
On 11/4/2015 8:43 AM, Stan Silvert wrote:
> First, +1 to adding groups and permissions, because that's what our
> users expect to see.
>
> I'm going to go ahead and say what I was hoping to say last night. It's
> hard to visualize this stuff without seeing diagrams, but I'm wondering
> if we still need composites. That is, once we have groups, roles, and
> permissions, do composites really solve something that can't be done as
> easily or better with the groups, roles, and permissions?
>
> Composites have been a point of confusion. I can remember when I first
> started working with Keycloak that it took awhile to get comfortable
> with composites. I think that's the reaction our users are having as
> well. From a technical standpoint, they are very powerful. But that's
> not readily apparent to a lot of people, which is why users are always
> asking for groups. Perhaps we should give up some technical elegance
> for something that's easier to understand.
>
> If composites are only there for convenience, I'd say get rid of them.
> IMO, we should favor something that's easy to understand and still gets
> the job done. (As a bonus, simpler data structures are easier to deal
> with as we add new features!)
>
> On 11/4/2015 7:46 AM, Pedro Igor Silva wrote:
>>> Let's supose, you have a group called "GroupA", that group have
roles
>>> "Create invoice" this has 13 permisions, "Remove invoice"
this has 5
>>> permisions, "Update invoice" this has 19 permisions...
>>>
>>> I asign 25 users to Group A, but 2 users, should not have 3 permisions
>>> that are different in both users, should I need to create "GroupB"
and
>>> "GroupC" with the exact permissions, just to handle this 3
permisions
>>> exclusions?
>>>
>>> It probably can be a little overkill, but IHMO is more flexible than
>>> an all or nothing approach.
>>>
>> I see your point. However, IMO, when you start to use negatives you may end up
with something more complicate and hard to follow.
>>
>> What I meant by positive logic is not an all or nothing approach, but use
positives permissions and play with them to match your requirements.
>>
>> For instance, we are developing some additional authorization features to
Keycloak. There you can define a set of policies that rule access to your resources based
on different type of access control mechanisms: rbac, contextual/risk-based, abac,
user-based, etc.
>>
>> Policies can be applied to a resource type, resource instance, a specific scope
(eg.: create, remove, delete, etc) or a combination of them. Policies are also independent
of each other and can be reused and combined in different ways to actually define and
enforce authorization for a given resource/scope.
>>
>> Considering you scenario, you would have something like that:
>>
>> - Only Group A Policy (defines that all members of Group A can *do
something*)
>> - Resource X Policy (here we are telling what Group A can do. In this
case, access Resource X and any of its scopes)
>> - Applies Only Group A Policy
>>
>> You can also have something like:
>>
>> - Only Group A Policy (defines that all members of Group A can *do
something*)
>> - Create Invoice Policy (here we're telling that Group A can access a
specific scope.)
>> - Applies Only Group A Policy
>>
>> Now, if you want specific policies for some of your users, you can do something
like:
>>
>> - Exceptional Y Policy (which can define a specific user, role, group, any
contextual information like current time or authentication method)
>> - Create Invoice Policy
>> - Applies Only Group A Policy
>> - Applies Exceptional Y Policy
>>
>> That will provide flexible policies, make them more meaningful and easy to
follow/understand. We are considering protect resources as important assets within an
organization, which should be ruled by a set of policies that must be applied before
accessing them.
>>
>> I would appreciate if you could provide some more info about your use case. Right
now I'm writing some examples and would be nice to check how your requirements can be
addressed (or not :)) with what we did so far.
>>
>> Thanks.
>> Pedro Igor
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
9:37 a.m.
On 11/4/2015 10:26 AM, Stan Silvert wrote:
On 11/4/2015 9:15 AM, Bill Burke wrote:
> I've alread stated the reason for composite roles:
>
> Say you have a set of applications under the Sales and Marketing
> Department: A Leads Application, Eloqua, and Salesforce. Each of the
> applications has a set of roles that are used to manage access to
> various features of each application. For example, each app might have
> an "admin" role. You would then want to organize permissions into
> categories and assign coarser grain roles to individual users. So, you
> would create a "Sales Admin" composite role that contains the
"admin"
> role of each sales application. Composite roles allow you to group
> together roles into role catagories that you can assign to a specific
> user or user group.
>
> User Groups are different as you want to assign a set of permissions to
> a group of users.
>
> So composite roles are used to group together roles of a set of
> applications. User Groups are used to grant a set of perissions to a
> set of users.
Maybe it's just me, but I think of user groups as just a way to group
users, and roles as a way to group permissions. Roles are assigned to
user groups. Permissions are assigned to roles.
We dont' have the concept of a permission, so, assigning roles to a
composite role is equivalent right now of assigning permissions to a role.
I don't see why you need anything more. In your example, each
application has an admin role that has a set of permissions for the
application. Each admin role can be assigned to a Sales Admin user
group. Sales Admin users are assigned to the Sales Admin user group.
Done.
App developers focus on designing the roles/permission model for the
applications and would deal with roles, composite roles, and clients.
User admins would focus on managing users and defining groups and
assigning permissions/roles to groups and users. Instead of dealing
with fine-grain roles/permissions for each and every application, user
admins just deal with coarse grain composite roles.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:21 a.m.
On 11/4/2015 10:37 AM, Bill Burke wrote:
On 11/4/2015 10:26 AM, Stan Silvert wrote:
> On 11/4/2015 9:15 AM, Bill Burke wrote:
>> I've alread stated the reason for composite roles:
>>
>> Say you have a set of applications under the Sales and Marketing
>> Department: A Leads Application, Eloqua, and Salesforce. Each of the
>> applications has a set of roles that are used to manage access to
>> various features of each application. For example, each app might have
>> an "admin" role. You would then want to organize permissions into
>> categories and assign coarser grain roles to individual users. So, you
>> would create a "Sales Admin" composite role that contains the
"admin"
>> role of each sales application. Composite roles allow you to group
>> together roles into role catagories that you can assign to a specific
>> user or user group.
>>
>> User Groups are different as you want to assign a set of permissions to
>> a group of users.
>>
>> So composite roles are used to group together roles of a set of
>> applications. User Groups are used to grant a set of perissions to a
>> set of users.
> Maybe it's just me, but I think of user groups as just a way to group
> users, and roles as a way to group permissions. Roles are assigned to
> user groups. Permissions are assigned to roles.
>
We dont' have the concept of a permission, so, assigning roles to a
composite role is equivalent right now of assigning permissions to a role.
Isn't that what Pedro is working on right now?
> I don't see why you need anything more. In your example, each
> application has an admin role that has a set of permissions for the
> application. Each admin role can be assigned to a Sales Admin user
> group. Sales Admin users are assigned to the Sales Admin user group.
> Done.
>
App developers focus on designing the roles/permission model for the
applications and would deal with roles, composite roles, and clients.
User admins would focus on managing users and defining groups and
assigning permissions/roles to groups and users. Instead of dealing
with fine-grain roles/permissions for each and every application, user
admins just deal with coarse grain composite roles.
10:51 a.m.
On 11/4/2015 11:21 AM, Stan Silvert wrote:
On 11/4/2015 10:37 AM, Bill Burke wrote:
>
> On 11/4/2015 10:26 AM, Stan Silvert wrote:
>> On 11/4/2015 9:15 AM, Bill Burke wrote:
>>> I've alread stated the reason for composite roles:
>>>
>>> Say you have a set of applications under the Sales and Marketing
>>> Department: A Leads Application, Eloqua, and Salesforce. Each of the
>>> applications has a set of roles that are used to manage access to
>>> various features of each application. For example, each app might have
>>> an "admin" role. You would then want to organize permissions into
>>> categories and assign coarser grain roles to individual users. So, you
>>> would create a "Sales Admin" composite role that contains the
"admin"
>>> role of each sales application. Composite roles allow you to group
>>> together roles into role catagories that you can assign to a specific
>>> user or user group.
>>>
>>> User Groups are different as you want to assign a set of permissions to
>>> a group of users.
>>>
>>> So composite roles are used to group together roles of a set of
>>> applications. User Groups are used to grant a set of perissions to a
>>> set of users.
>> Maybe it's just me, but I think of user groups as just a way to group
>> users, and roles as a way to group permissions. Roles are assigned to
>> user groups. Permissions are assigned to roles.
>>
> We dont' have the concept of a permission, so, assigning roles to a
> composite role is equivalent right now of assigning permissions to a role.
Isn't that what Pedro is working on right now?
No. His is like: user in this group as write access to this document.
This is just roles and sets of roles.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11:24 a.m.
On 11/4/2015 11:51 AM, Bill Burke wrote:
On 11/4/2015 11:21 AM, Stan Silvert wrote:
> On 11/4/2015 10:37 AM, Bill Burke wrote:
>> On 11/4/2015 10:26 AM, Stan Silvert wrote:
>>> On 11/4/2015 9:15 AM, Bill Burke wrote:
>>>> I've alread stated the reason for composite roles:
>>>>
>>>> Say you have a set of applications under the Sales and Marketing
>>>> Department: A Leads Application, Eloqua, and Salesforce. Each of the
>>>> applications has a set of roles that are used to manage access to
>>>> various features of each application. For example, each app might have
>>>> an "admin" role. You would then want to organize permissions
into
>>>> categories and assign coarser grain roles to individual users. So, you
>>>> would create a "Sales Admin" composite role that contains the
"admin"
>>>> role of each sales application. Composite roles allow you to group
>>>> together roles into role catagories that you can assign to a specific
>>>> user or user group.
>>>>
>>>> User Groups are different as you want to assign a set of permissions to
>>>> a group of users.
>>>>
>>>> So composite roles are used to group together roles of a set of
>>>> applications. User Groups are used to grant a set of perissions to a
>>>> set of users.
>>> Maybe it's just me, but I think of user groups as just a way to group
>>> users, and roles as a way to group permissions. Roles are assigned to
>>> user groups. Permissions are assigned to roles.
>>>
>> We dont' have the concept of a permission, so, assigning roles to a
>> composite role is equivalent right now of assigning permissions to a role.
> Isn't that what Pedro is working on right now?
No. His is like: user in this group as write access to this document.
This is just roles and sets of roles.
"write access to this document" is a permission. Permissions assigned
to roles. Roles assigned to groups.
Maybe it's just semantics, but that's the kind of think I'm used to
seeing in other systems.
2:24 a.m.
After our chat I realized I was confusing things. I think the initial
design proposed by Bill is good, but we should keep composite roles. Roles
should rename roles and we should introduce role namespaces to replace the
current realm/client role split. So we should have:
* Role
* Composite role - these are powerful as they permit multiple inheritance
(and we also deal with cyclic inheritance). I believe these works well and
we've not had any negative feedback on them AFAIK
* Role namespaces - ability to create a hierarchy of roles (a role
namespace should just be a namespace, and not some sort of all inclusive
role)
* Group
- Simple hierarchy (no multi inheritance)
- A group has one or more attributes
- A group has one or more role mappings
- A user belongs to one or more groups
- A user inherits all role mappings of the group
- A user inherits all attributes of the group (we need to define how
duplicates are resolved)
I think this will provide the required tools to model most things.
Obviously it doesn't model permissions, but that's not the agenda.
Permissions are for Pedro's work, which will hopefully be brought into
master sometime next year.
With regards to how this is all added to tokens and managed in adapters we
need to be able to:
* Include/exclude groups in the token
* Include/exclude roles in the token
- Including ability to specify namespaces to include
* For JEE adapters it should be possible to configure how roles from the
token are mapped onto roles in the app
- Full namespace
- Include single namespace and only include role name, not full namespace
- More (groups -> roles?)? Custom?
Another related topic is fine-grained permissions in the admin
console/endpoints. We should leave it as is for now (course grained), with
the exception of utilizing role namespaces (instead of having to have
"mock" clients). In the future we should be able to leverage Pedro's work
to provide proper fine-grained permissions to the admin console/endpoints.
On 4 November 2015 at 18:24, Stan Silvert <ssilvert(a)redhat.com> wrote:
On 11/4/2015 11:51 AM, Bill Burke wrote:
>
> On 11/4/2015 11:21 AM, Stan Silvert wrote:
>> On 11/4/2015 10:37 AM, Bill Burke wrote:
>>> On 11/4/2015 10:26 AM, Stan Silvert wrote:
>>>> On 11/4/2015 9:15 AM, Bill Burke wrote:
>>>>> I've alread stated the reason for composite roles:
>>>>>
>>>>> Say you have a set of applications under the Sales and Marketing
>>>>> Department: A Leads Application, Eloqua, and Salesforce. Each of
the
>>>>> applications has a set of roles that are used to manage access to
>>>>> various features of each application. For example, each app might
have
>>>>> an "admin" role. You would then want to organize
permissions into
>>>>> categories and assign coarser grain roles to individual users. So,
you
>>>>> would create a "Sales Admin" composite role that contains
the "admin"
>>>>> role of each sales application. Composite roles allow you to group
>>>>> together roles into role catagories that you can assign to a
specific
>>>>> user or user group.
>>>>>
>>>>> User Groups are different as you want to assign a set of
permissions
to
>>>>> a group of users.
>>>>>
>>>>> So composite roles are used to group together roles of a set of
>>>>> applications. User Groups are used to grant a set of perissions to
a
>>>>> set of users.
>>>> Maybe it's just me, but I think of user groups as just a way to
group
>>>> users, and roles as a way to group permissions. Roles are assigned to
>>>> user groups. Permissions are assigned to roles.
>>>>
>>> We dont' have the concept of a permission, so, assigning roles to a
>>> composite role is equivalent right now of assigning permissions to a
role.
>> Isn't that what Pedro is working on right now?
> No. His is like: user in this group as write access to this document.
> This is just roles and sets of roles.
>
>
"write access to this document" is a permission. Permissions assigned
to roles. Roles assigned to groups.
Maybe it's just semantics, but that's the kind of think I'm used to
seeing in other systems.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
7:56 a.m.
Well, based on what you said on policies looks fine to me...
Give a look to the following scenario and if it can be acomplish with KC.
The organization has many subdivisions like this:
Org
|------Subsidiary 1
| |------Branch office 1.1
| | |------Office 1.1.1
| | |------Office 1.1.2
| |------Branch office 1.2
| |------Office 1.2.1
|------Subsidiary 2
| |------Branch office 2.1
| |------Office 2.2.1
| |------Office 2.2.2
...
Can I define authorization in a way that Office 2.2.2 can only touch
the resources specific to it, Branch office 1.1 can see the resources
of Office 1.1.2 and Office 1.1.1, Subsidiary 1 can see all in Branch
office 1.1 and 1.2... and so on...
Jorge Solórzano
On Wed, Nov 4, 2015 at 6:46 AM, Pedro Igor Silva <psilva(a)redhat.com> wrote:
>
> Let's supose, you have a group called "GroupA", that group have roles
> "Create invoice" this has 13 permisions, "Remove invoice" this
has 5
> permisions, "Update invoice" this has 19 permisions...
>
> I asign 25 users to Group A, but 2 users, should not have 3 permisions
> that are different in both users, should I need to create "GroupB" and
> "GroupC" with the exact permissions, just to handle this 3 permisions
> exclusions?
>
> It probably can be a little overkill, but IHMO is more flexible than
> an all or nothing approach.
>
I see your point. However, IMO, when you start to use negatives you may end up with
something more complicate and hard to follow.
What I meant by positive logic is not an all or nothing approach, but use positives
permissions and play with them to match your requirements.
For instance, we are developing some additional authorization features to Keycloak. There
you can define a set of policies that rule access to your resources based on different
type of access control mechanisms: rbac, contextual/risk-based, abac, user-based, etc.
Policies can be applied to a resource type, resource instance, a specific scope (eg.:
create, remove, delete, etc) or a combination of them. Policies are also independent of
each other and can be reused and combined in different ways to actually define and enforce
authorization for a given resource/scope.
Considering you scenario, you would have something like that:
- Only Group A Policy (defines that all members of Group A can *do something*)
- Resource X Policy (here we are telling what Group A can do. In this case, access
Resource X and any of its scopes)
- Applies Only Group A Policy
You can also have something like:
- Only Group A Policy (defines that all members of Group A can *do something*)
- Create Invoice Policy (here we're telling that Group A can access a specific
scope.)
- Applies Only Group A Policy
Now, if you want specific policies for some of your users, you can do something like:
- Exceptional Y Policy (which can define a specific user, role, group, any contextual
information like current time or authentication method)
- Create Invoice Policy
- Applies Only Group A Policy
- Applies Exceptional Y Policy
That will provide flexible policies, make them more meaningful and easy to
follow/understand. We are considering protect resources as important assets within an
organization, which should be ruled by a set of policies that must be applied before
accessing them.
I would appreciate if you could provide some more info about your use case. Right now
I'm writing some examples and would be nice to check how your requirements can be
addressed (or not :)) with what we did so far.
Thanks.
Pedro Igor
10:01 a.m.
Yeah, it should be possible. Once Bill finishes his group stuff we can support that.
Right now, the Authz Server we're working on does not provide group-based policies,
which is a requirement to get your use case addressed.
But once groups are there, you can easily define a policy that let's you associate a
set of resources to a group and enforce authorization. We can even provide options to this
type of policy like:
- An option to enable/disable roles inheritance. In case you don't want to inherit
roles when checking for permissions.
- An option do enable/disable group hierarchy checks. In case you want to match only a
specific group.
I'll keep your scenario in mind and test with the Authz Server once we have groups
in.
Thanks.
----- Original Message -----
From: "Jorge Solórzano" <jorsol(a)gmail.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: "Bill Burke" <bburke(a)redhat.com>, keycloak-dev(a)lists.jboss.org
Sent: Wednesday, November 4, 2015 11:56:36 AM
Subject: Re: [keycloak-dev] roles vs. groups
Well, based on what you said on policies looks fine to me...
Give a look to the following scenario and if it can be acomplish with KC.
The organization has many subdivisions like this:
Org
|------Subsidiary 1
| |------Branch office 1.1
| | |------Office 1.1.1
| | |------Office 1.1.2
| |------Branch office 1.2
| |------Office 1.2.1
|------Subsidiary 2
| |------Branch office 2.1
| |------Office 2.2.1
| |------Office 2.2.2
...
Can I define authorization in a way that Office 2.2.2 can only touch
the resources specific to it, Branch office 1.1 can see the resources
of Office 1.1.2 and Office 1.1.1, Subsidiary 1 can see all in Branch
office 1.1 and 1.2... and so on...
Jorge Solórzano
On Wed, Nov 4, 2015 at 6:46 AM, Pedro Igor Silva <psilva(a)redhat.com> wrote:
>
> Let's supose, you have a group called "GroupA", that group have roles
> "Create invoice" this has 13 permisions, "Remove invoice" this
has 5
> permisions, "Update invoice" this has 19 permisions...
>
> I asign 25 users to Group A, but 2 users, should not have 3 permisions
> that are different in both users, should I need to create "GroupB" and
> "GroupC" with the exact permissions, just to handle this 3 permisions
> exclusions?
>
> It probably can be a little overkill, but IHMO is more flexible than
> an all or nothing approach.
>
I see your point. However, IMO, when you start to use negatives you may end up with
something more complicate and hard to follow.
What I meant by positive logic is not an all or nothing approach, but use positives
permissions and play with them to match your requirements.
For instance, we are developing some additional authorization features to Keycloak. There
you can define a set of policies that rule access to your resources based on different
type of access control mechanisms: rbac, contextual/risk-based, abac, user-based, etc.
Policies can be applied to a resource type, resource instance, a specific scope (eg.:
create, remove, delete, etc) or a combination of them. Policies are also independent of
each other and can be reused and combined in different ways to actually define and enforce
authorization for a given resource/scope.
Considering you scenario, you would have something like that:
- Only Group A Policy (defines that all members of Group A can *do something*)
- Resource X Policy (here we are telling what Group A can do. In this case, access
Resource X and any of its scopes)
- Applies Only Group A Policy
You can also have something like:
- Only Group A Policy (defines that all members of Group A can *do something*)
- Create Invoice Policy (here we're telling that Group A can access a specific
scope.)
- Applies Only Group A Policy
Now, if you want specific policies for some of your users, you can do something like:
- Exceptional Y Policy (which can define a specific user, role, group, any contextual
information like current time or authentication method)
- Create Invoice Policy
- Applies Only Group A Policy
- Applies Exceptional Y Policy
That will provide flexible policies, make them more meaningful and easy to
follow/understand. We are considering protect resources as important assets within an
organization, which should be ruled by a set of policies that must be applied before
accessing them.
I would appreciate if you could provide some more info about your use case. Right now
I'm writing some examples and would be nice to check how your requirements can be
addressed (or not :)) with what we did so far.
Thanks.
Pedro Igor
4:01 p.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, November 3, 2015 7:04:43 PM
Subject: [keycloak-dev] roles vs. groups
Stian and I were having a conversation about roles, keycloak composite
roles, vs. groups. It seems that groups and roles are often confused
and one can be equivalent to the other. One common thread is the following:
Groups are user centric. Roles are permission centric.
"A group is a means of organising users, whereas a role is usually a
means of organising rights."
IMO, groups can also be used to organize rights. It is quite common to only check if an
user is member of a group or any of its parents. Despite any role ...
In any case, handle groups and roles separately is the best way to go ...
So, keycloak composite roles would be a way to organise rights for a set
of applications. For example, you might have a set of sales services,
each sales service has an "admin" and "user" role. You'd define
a
"sales user" and "sales admin" role which would be a composite
containing the "admin" and/or "user" role of each sales service.
Conversely, a keycloak group would provide a way to organize a set of
users. You would create a group called "sales associates" add members
to it and then assign the roles members of the group can partake.
Really, in Keycloak with composite roles, you can have a role act as a
group. So, while groups and roles are logically the sameAdding the
concept of a group though provides distinction and clarity without
overloading the concept of a composite.
+1
Regarding "role act as a group". Yes, you can. And that is what JEE gives you
and it is not enough when you really need to support the group concept, specially when you
need to consider group hierarchies, permission inherited to members, etc. You need some
role mapping hack to get all that working.
IMO, Role (or composite role) != Group ...
So, given that, Role mapping tab for Groups and Users would be named
"Permissions" instead of "Role Mappings". Each role would have a
"Rights" tab instead of the "Composite Role" concept we have now.
That
might bring more clarity? Or will it just confuse concepts that are
going to be introduced by Pedro and his Authz stuff?
Basically, what you are doing is group and role mapping in the end. Where you can add
"permissions" to an group or an user.
The Authz stuff will just use whatever you define in order to write policies for your
protected resources. For instance, we can now define a Group-Based Policy, so you can say
that all members of a group (or any of its parents) can access a resource or perform some
operation on it.
Or even say that any member with a role X within a group can do something.
I'm also thinking that a Groups and Role Namespaces could be combined.
So a group would have a set of "Permissions" (role mappings) that are
automatically granted to user members. The group could also define a
set of "Roles" that apply to this group. So "Sales" could have a
"Manager" role. This "Manager" role would be a composite role that
assigns additional permissions. This would also allow us to define
default roles for
Whoops, I didn't finish....
Combining Groups and Role Namespaces would allow us to define built in
roles for the Group that when assigned would allow management of the
members of the group.
If I got this properly, what you mean is support "GroupRole" relationships.
Where you may say that Bill is Manager in Group A.
IIRC, Hawkular requires that.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
7:13 p.m.
On 11/3/2015 5:01 PM, Pedro Igor Silva wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Tuesday, November 3, 2015 7:04:43 PM
> Subject: [keycloak-dev] roles vs. groups
>
> Stian and I were having a conversation about roles, keycloak composite
> roles, vs. groups. It seems that groups and roles are often confused
> and one can be equivalent to the other. One common thread is the following:
>
> Groups are user centric. Roles are permission centric.
>
> "A group is a means of organising users, whereas a role is usually a
> means of organising rights."
IMO, groups can also be used to organize rights. It is quite common to only check if an
user is member of a group or any of its parents. Despite any role ...
In any case, handle groups and roles separately is the best way to go ...
>
> So, keycloak composite roles would be a way to organise rights for a set
> of applications. For example, you might have a set of sales services,
> each sales service has an "admin" and "user" role. You'd
define a
> "sales user" and "sales admin" role which would be a composite
> containing the "admin" and/or "user" role of each sales service.
>
> Conversely, a keycloak group would provide a way to organize a set of
> users. You would create a group called "sales associates" add members
> to it and then assign the roles members of the group can partake.
>
> Really, in Keycloak with composite roles, you can have a role act as a
> group. So, while groups and roles are logically the sameAdding the
> concept of a group though provides distinction and clarity without
> overloading the concept of a composite.
+1
Regarding "role act as a group". Yes, you can. And that is what JEE gives you
and it is not enough when you really need to support the group concept, specially when you
need to consider group hierarchies, permission inherited to members, etc. You need some
role mapping hack to get all that working.
IMO, Role (or composite role) != Group ...
>
> So, given that, Role mapping tab for Groups and Users would be named
> "Permissions" instead of "Role Mappings". Each role would have
a
> "Rights" tab instead of the "Composite Role" concept we have now.
That
> might bring more clarity? Or will it just confuse concepts that are
> going to be introduced by Pedro and his Authz stuff?
Basically, what you are doing is group and role mapping in the end. Where you can add
"permissions" to an group or an user.
The Authz stuff will just use whatever you define in order to write policies for your
protected resources. For instance, we can now define a Group-Based Policy, so you can say
that all members of a group (or any of its parents) can access a resource or perform some
operation on it.
Or even say that any member with a role X within a group can do something.
>
> I'm also thinking that a Groups and Role Namespaces could be combined.
> So a group would have a set of "Permissions" (role mappings) that are
> automatically granted to user members. The group could also define a
> set of "Roles" that apply to this group. So "Sales" could have
a
> "Manager" role. This "Manager" role would be a composite role
that
> assigns additional permissions. This would also allow us to define
> default roles for
> Whoops, I didn't finish....
> Combining Groups and Role Namespaces would allow us to define built in
> roles for the Group that when assigned would allow management of the
> members of the group.
If I got this properly, what you mean is support "GroupRole" relationships.
Where you may say that Bill is Manager in Group A.
IIRC, Hawkular requires that.
I'm just proposing a role namespace. i.e. Group A defines a role called
"Manager". Bill has role mapping A.Manager. I want to avoid
overlapping with what you are doing. Each group would have some built
in declared roles: i.e. add-user, manage-user, manage-group, etc...So
that a user can be permitted to manage the members of the group. A few
people have been asking for this.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
7:24 p.m.
I was just about to respond to this thread when I realized that it's
kind of pointless without diagrams. Wish we could all be in Brno right
now with a shared whiteboard.
On 11/3/2015 8:13 PM, Bill Burke wrote:
On 11/3/2015 5:01 PM, Pedro Igor Silva wrote:
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Tuesday, November 3, 2015 7:04:43 PM
>> Subject: [keycloak-dev] roles vs. groups
>>
>> Stian and I were having a conversation about roles, keycloak composite
>> roles, vs. groups. It seems that groups and roles are often confused
>> and one can be equivalent to the other. One common thread is the following:
>>
>> Groups are user centric. Roles are permission centric.
>>
>> "A group is a means of organising users, whereas a role is usually a
>> means of organising rights."
> IMO, groups can also be used to organize rights. It is quite common to only check if
an user is member of a group or any of its parents. Despite any role ...
>
> In any case, handle groups and roles separately is the best way to go ...
>
>> So, keycloak composite roles would be a way to organise rights for a set
>> of applications. For example, you might have a set of sales services,
>> each sales service has an "admin" and "user" role. You'd
define a
>> "sales user" and "sales admin" role which would be a
composite
>> containing the "admin" and/or "user" role of each sales
service.
>>
>> Conversely, a keycloak group would provide a way to organize a set of
>> users. You would create a group called "sales associates" add members
>> to it and then assign the roles members of the group can partake.
>>
>> Really, in Keycloak with composite roles, you can have a role act as a
>> group. So, while groups and roles are logically the sameAdding the
>> concept of a group though provides distinction and clarity without
>> overloading the concept of a composite.
> +1
>
> Regarding "role act as a group". Yes, you can. And that is what JEE gives
you and it is not enough when you really need to support the group concept, specially when
you need to consider group hierarchies, permission inherited to members, etc. You need
some role mapping hack to get all that working.
>
> IMO, Role (or composite role) != Group ...
>
>> So, given that, Role mapping tab for Groups and Users would be named
>> "Permissions" instead of "Role Mappings". Each role would
have a
>> "Rights" tab instead of the "Composite Role" concept we have
now. That
>> might bring more clarity? Or will it just confuse concepts that are
>> going to be introduced by Pedro and his Authz stuff?
> Basically, what you are doing is group and role mapping in the end. Where you can add
"permissions" to an group or an user.
>
> The Authz stuff will just use whatever you define in order to write policies for your
protected resources. For instance, we can now define a Group-Based Policy, so you can say
that all members of a group (or any of its parents) can access a resource or perform some
operation on it.
>
> Or even say that any member with a role X within a group can do something.
>
>> I'm also thinking that a Groups and Role Namespaces could be combined.
>> So a group would have a set of "Permissions" (role mappings) that are
>> automatically granted to user members. The group could also define a
>> set of "Roles" that apply to this group. So "Sales" could
have a
>> "Manager" role. This "Manager" role would be a composite
role that
>> assigns additional permissions. This would also allow us to define
>> default roles for
>> Whoops, I didn't finish....
>> Combining Groups and Role Namespaces would allow us to define built in
>> roles for the Group that when assigned would allow management of the
>> members of the group.
> If I got this properly, what you mean is support "GroupRole" relationships.
Where you may say that Bill is Manager in Group A.
>
> IIRC, Hawkular requires that.
>
I'm just proposing a role namespace. i.e. Group A defines a role called
"Manager". Bill has role mapping A.Manager. I want to avoid
overlapping with what you are doing. Each group would have some built
in declared roles: i.e. add-user, manage-user, manage-group, etc...So
that a user can be permitted to manage the members of the group. A few
people have been asking for this.
5:32 a.m.
I'm just proposing a role namespace. i.e. Group A defines a role called
"Manager". Bill has role mapping A.Manager. I want to avoid
overlapping with what you are doing. Each group would have some built
in declared roles: i.e. add-user, manage-user, manage-group, etc...So
that a user can be permitted to manage the members of the group. A few
people have been asking for this.
So my understanding is correct. This is what I meant by "GroupRole"
relationships, which is also supported in PL. However, there we don't have roles
within a group. But you can just assign any existing role to an user in the scope of a
specific group.
Regarding the overlap, there is no overlap with what I'm doing. What I'm doing is
permission, what an user is actually allowed to do, considering the resources and the
actions that can be performed on them (plus other things related authz). Like I said, we
are going to use all the stuff you are doing to actually define permissions/policies for
protected resources.
Maybe the names "Permission" and "Rights" are not the best ones for
what you are doing ? Maybe you should keep "Role Mapping" instead ?
Conceptually, what you are doing is not permissions ...
8:03 a.m.
On 11/4/2015 6:32 AM, Pedro Igor Silva wrote:
>
> I'm just proposing a role namespace. i.e. Group A defines a role called
> "Manager". Bill has role mapping A.Manager. I want to avoid
> overlapping with what you are doing. Each group would have some built
> in declared roles: i.e. add-user, manage-user, manage-group, etc...So
> that a user can be permitted to manage the members of the group. A few
> people have been asking for this.
>
So my understanding is correct. This is what I meant by "GroupRole"
relationships, which is also supported in PL. However, there we don't have roles
within a group. But you can just assign any existing role to an user in the scope of a
specific group.
What do you mean by "assign any existing role to an user in the scope of
a specific group"? User has Manager role for Group A? So, the
relationship (or join table) is User->Role->Group? User would not have
Manager role for Group B. That relationship would have to be set up
separately.
Isn't that different than "all users of Group A have the manager role"?
The difference would be in the token creation. The former, "User has
Manage role for Group A" would have to look like this:
"groups": [
{ "name" : "Group A",
"roles" : [ "Manager" ]
}
]
The latter "users of Group A have the manager role", would just add
"manager" to the list of roles the user has:
"roles: ["Manager"]
There really is no equivalent in Java EE for leveraging a
User/Role/Group relationship. We'd have to add it to our adapters.
Isn't "users of Group A have the manager role" enough?
Regarding the overlap, there is no overlap with what I'm doing.
What I'm doing is permission, what an user is actually allowed to do, considering the
resources and the actions that can be performed on them (plus other things related authz).
Like I said, we are going to use all the stuff you are doing to actually define
permissions/policies for protected resources.
Maybe the names "Permission" and "Rights" are not the best ones for
what you are doing ? Maybe you should keep "Role Mapping" instead ?
Conceptually, what you are doing is not permissions ...
So Role Mappings instead of Permissions for Groups. I need a better
name for "composite role". I also need a better name for "Role
Namespace".
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8:36 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, November 4, 2015 12:03:24 PM
Subject: Re: [keycloak-dev] roles vs. groups
On 11/4/2015 6:32 AM, Pedro Igor Silva wrote:
>>
>> I'm just proposing a role namespace. i.e. Group A defines a role called
>> "Manager". Bill has role mapping A.Manager. I want to avoid
>> overlapping with what you are doing. Each group would have some built
>> in declared roles: i.e. add-user, manage-user, manage-group, etc...So
>> that a user can be permitted to manage the members of the group. A few
>> people have been asking for this.
>>
>
> So my understanding is correct. This is what I meant by "GroupRole"
> relationships, which is also supported in PL. However, there we don't have
> roles within a group. But you can just assign any existing role to an user
> in the scope of a specific group.
>
What do you mean by "assign any existing role to an user in the scope of
a specific group"? User has Manager role for Group A? So, the
relationship (or join table) is User->Role->Group? User would not have
Manager role for Group B. That relationship would have to be set up
separately.
Yes, that is what I meant: "User has Manager role for Group A". And yes, User
would not have Manager role for Group B, only Group A.
Isn't that different than "all users of Group A have the manager role"?
Yeah, that is different. The case above is about inheriting roles from the group you are
member of, right ?
The difference would be in the token creation. The former, "User has
Manage role for Group A" would have to look like this:
"groups": [
{ "name" : "Group A",
"roles" : [ "Manager" ]
}
]
+1
The latter "users of Group A have the manager role", would just add
"manager" to the list of roles the user has:
"roles: ["Manager"]
+1
There really is no equivalent in Java EE for leveraging a
User/Role/Group relationship. We'd have to add it to our adapters.
Isn't "users of Group A have the manager role" enough?
For most cases yes. But if you want to be more flexible you can support that as well.
IIRC, Hawkular wants group role. And it might be useful for others as well.
> Regarding the overlap, there is no overlap with what I'm doing. What I'm
> doing is permission, what an user is actually allowed to do, considering
> the resources and the actions that can be performed on them (plus other
> things related authz). Like I said, we are going to use all the stuff you
> are doing to actually define permissions/policies for protected resources.
>
> Maybe the names "Permission" and "Rights" are not the best ones
for what
> you are doing ? Maybe you should keep "Role Mapping" instead ?
> Conceptually, what you are doing is not permissions ...
>
So Role Mappings instead of Permissions for Groups. I need a better
name for "composite role". I also need a better name for "Role
Namespace".
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
7:43 a.m.
On 11/4/2015 9:36 AM, Pedro Igor Silva wrote:
> There really is no equivalent in Java EE for leveraging a
> User/Role/Group relationship. We'd have to add it to our adapters.
> Isn't "users of Group A have the manager role" enough?
For most cases yes. But if you want to be more flexible you can support that as well.
IIRC, Hawkular wants group role. And it might be useful for others as well.
Doesn't User/Role/Group start to overlap with what you're doing? I
thought Hawkular wanted a permission model so that you could assign
permissions to resources based on group membership. If I added a
user/role/group relationship mapping, wouldn't people start using that
to implement similar permission model to what you are doing?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8:26 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, November 5, 2015 11:43:25 AM
Subject: Re: [keycloak-dev] roles vs. groups
On 11/4/2015 9:36 AM, Pedro Igor Silva wrote:
>> There really is no equivalent in Java EE for leveraging a
>> User/Role/Group relationship. We'd have to add it to our adapters.
>> Isn't "users of Group A have the manager role" enough?
>
> For most cases yes. But if you want to be more flexible you can support
> that as well. IIRC, Hawkular wants group role. And it might be useful for
> others as well.
>
Doesn't User/Role/Group start to overlap with what you're doing? I
thought Hawkular wanted a permission model so that you could assign
permissions to resources based on group membership. If I added a
user/role/group relationship mapping, wouldn't people start using that
to implement similar permission model to what you are doing?
Not really. What I'm doing is completely different and is related with permissions and
fine-grained authorization.
One thing is say that User A has Role B. Or User A has Role B in Group C. Or User A is
member of Group C. You are not assigning permissions, but defining a baseline to actually
define them. Let's say you are logically separating permissions but not defining what,
how and when can be accessed.
Like I said in other emails, whatever you define for roles and groups would be used to
create policies, covering fine-grained permissions and considering different types of
access control mechanisms such as role-based, group-based, user-based, context-based,
attribute-based, etc.
Let's use the following example. You have defined that User A has Role B in Group C.
From this statement you don't know what that means from a access control perspectice.
You only know that User A has Role B in Group C. What that means from a access control
mechanism is implicit and will probably be used to actually *enforce* a policy when
accessing some resource.
Usually, what people do is obtain that statement somewhere (eg.: from a token) and write a
if statement around the code the will access a resource.
Now, in the case of the Authz Server, you would not use ifs or enforce these policies by
your self. You will use a rich and powerful policy engine to say if a resource can be
accessed or not. Where you can use not only that statement (user/group/role) but mix other
statements such as: user must have authenticated with OTP, time must be XX:XX:XX, the
authenticated user must be the resource owner, only the Action X can be performed, etc.
Or you can even just ask the authorization server for all the *entitlements* for an user.
And the server will give you which resources and what actions can be accessed/performed by
a given user.
Regarding Hawkular, they need a permission model, yes. But they also need a permission
model that can also support policies/permissions based on User/Role/Group relationship.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3120
days inactive
3122
days old
23 comments
5 participants
participants (5)
-
Bill Burke -
Jorge Solórzano -
Pedro Igor Silva -
Stan Silvert -
Stian Thorgersen