I'm trying to wrap my head around the use cases where each would be
used. If I understand it correctly, a role a unit of authorization.
Roles can have entitlements, either defined by Keycloak or an
application. A role can have other roles as members. It can also
have groups and individual users. Groups aren't directly linked to
entitlements, but are instead used to simply create a way to create a
set of users (and groups). Is this an accurate representation?
I ask because I want to build some integrations between OpenUnison and
MyVirtualDirectory. Both work primarily on the LDAP concepts of
users, groups and users. Beyond SSO integration between OpenUnison
and Keycloak, I'm looking at creating a provisioning target so
OpenUnison workflows can provision access to Keycloak roles as well
as an insert for MyVirtualDirectory that can represent Keycloak roles
and users as LDAP Objects for legacy applications.
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein(a)tremolosecurity.com