----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, November 3, 2015 7:04:43 PM
Subject: [keycloak-dev] roles vs. groups
Stian and I were having a conversation about roles, keycloak composite
roles, vs. groups. It seems that groups and roles are often confused
and one can be equivalent to the other. One common thread is the following:
Groups are user centric. Roles are permission centric.
"A group is a means of organising users, whereas a role is usually a
means of organising rights."
IMO, groups can also be used to organize rights. It is quite common to only check if an
user is member of a group or any of its parents. Despite any role ...
In any case, handle groups and roles separately is the best way to go ...
So, keycloak composite roles would be a way to organise rights for a set
of applications. For example, you might have a set of sales services,
each sales service has an "admin" and "user" role. You'd define
a
"sales user" and "sales admin" role which would be a composite
containing the "admin" and/or "user" role of each sales service.
Conversely, a keycloak group would provide a way to organize a set of
users. You would create a group called "sales associates" add members
to it and then assign the roles members of the group can partake.
Really, in Keycloak with composite roles, you can have a role act as a
group. So, while groups and roles are logically the sameAdding the
concept of a group though provides distinction and clarity without
overloading the concept of a composite.
+1
Regarding "role act as a group". Yes, you can. And that is what JEE gives you
and it is not enough when you really need to support the group concept, specially when you
need to consider group hierarchies, permission inherited to members, etc. You need some
role mapping hack to get all that working.
IMO, Role (or composite role) != Group ...
So, given that, Role mapping tab for Groups and Users would be named
"Permissions" instead of "Role Mappings". Each role would have a
"Rights" tab instead of the "Composite Role" concept we have now.
That
might bring more clarity? Or will it just confuse concepts that are
going to be introduced by Pedro and his Authz stuff?
Basically, what you are doing is group and role mapping in the end. Where you can add
"permissions" to an group or an user.
The Authz stuff will just use whatever you define in order to write policies for your
protected resources. For instance, we can now define a Group-Based Policy, so you can say
that all members of a group (or any of its parents) can access a resource or perform some
operation on it.
Or even say that any member with a role X within a group can do something.
I'm also thinking that a Groups and Role Namespaces could be combined.
So a group would have a set of "Permissions" (role mappings) that are
automatically granted to user members. The group could also define a
set of "Roles" that apply to this group. So "Sales" could have a
"Manager" role. This "Manager" role would be a composite role that
assigns additional permissions. This would also allow us to define
default roles for
Whoops, I didn't finish....
Combining Groups and Role Namespaces would allow us to define built in
roles for the Group that when assigned would allow management of the
members of the group.
If I got this properly, what you mean is support "GroupRole" relationships.
Where you may say that Bill is Manager in Group A.
IIRC, Hawkular requires that.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev