Re: [keycloak-user] Relationship of Groups to Roles?

> > Roles in Keycloak are similar to Java EE roles. Users are granted a > role, and become members of a Group. Groups in Keycloak are a > collection of users. Groups can have roles and attributes assigned to > them that user members inherit. > OK, so let me see if i'm conceptualizing this correctly. I've created a role called "MyRole". I have a group called "MyGroup" and a user named Matt Mosley (mmosley). I can grant mmosley the role MyRole directly or I can add mmosley to MyGroup and grant MyGroup MyRole? Additionally if the group MyGroup has an attribute x with the value y then mmosley, once assigned to MyGroup, would inherit the group attribute x=y? > Clients/Applications work with roles, not with groups. Applications > assign privileges to roles, not users or groups. Keycloak currently > does not have the concept of Permissions/Entitlements. Applications > have to handle how privileges are assigned to a role themselves. > I think we're saying the same thing here. Roles are the integration point with KeyCloak (not groups) and its the application that gives a role meaning. So if I were to create a directory structure for an LDAP tree it would probably look something like: ou=keycloack - ou=users - uid=mmosley - ou=groups - cn=MyGroup - ou=roles - cn=myrole - ou=app1 - cn=anAppSpecificRole OpenUnison doesn't have the concept of "roles" vs "groups". So I would probably have all roles start with a "role." and groups start with a "group." so I can differentiate between them. Am I on the right track? I've got Keycloak up and running so I'll play around with the apis too but didn't want to do that in a vacuum.