Re: [keycloak-user] Keycloak Roles and Usergroups

Hi Vinay, - roles are more likely to reflect person's functions in the organization; - groups are more likely to reflect organizational structure. For example, if there are offices and departments (like "NY Office", "IT Department"), that would normally map to nested groups. On the other hand, business functions would rather map to roles (like "managers", "developers", "sysadmins" etc.) There's also a number of technical differences: - akin to nested groups, there are composite roles. However, the logic is different: if you grant a composite role to a user, every child role would be granted, too (which is not true for groups); - you can assign a role to a group (not vice versa); - by default, Keycloak adapters can restrict access based on roles only. If you want to use groups for the same, you'll need to turn on authorization services and create corresponding policies. Could you please elaborate on your particular use case? If you describe it briefly, I think we'll be able decide what's better for you. Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro On Mon, 2018-07-09 at 12:39 -0400, Vinay wrote: