4:33 p.m.
Hi,
I want to keep my roles and permissions simple, but I have some specific requirements and
I’m struggling to map these to Keycloak groups or roles. For an example, I need to assign
users to predefined roles based on their current „location“. Instead of describing the
actual roles of my portal, I’ll use a student portal to give an example of what I’m
looking for. It should be more self-explanatory.
Think of a student portal where there is a „global“ area where students can see the
courses they are enrolled in, and „course“ areas for each of the courses with course
material etc:
* Students can sign in to the student portal with their student id. They can see their
courses on the „global“ page, but not others.
* Students can’t create courses, but they can be administrators within selected
courses (think of tutors which get another role assigned by a course’s professor)
* Professors can see all courses, and create new ones. They can enroll students into
courses and assign them a specific role for this course (e.g. tutor, guest, „normal
student“).
* Professors have no permissions to courses they don’t own
Roles and permissions.
As mentioned above, there are two scopes global and course. A user has one role at a time,
depending on his/her current location.
* GLOBAL_PROFESSOR: This is the role a professor has on the global scope. Here she/he
can create new courses, and administer (create, delete, open, close) his own courses. Has
otherwise no permissions for courses of other professors.
* COURSE_PROFSSOR: This is the role a professor has on the course scope. Here she/he
has admin rights, can assign course roles to students etc. as explained above.
* GLOBAL_STUDENT: The role a student has on the global scope. Here she/he can see
courses, but can’t do much else.
* COURSE_STUDENT: The role a student has within the scope of a particular course. E.g.
See all course materials, upload new stuff, post messages in a course forum, etc.
* COURSE_TUTOR: Same as student, plus they can e.g. Enroll students to the course,
delete assets of other students of this course, etc.
* COURSE_GUEST: Can view course content, but can’t upload files or do much else but
view and download stuff
I could create groups for each of the courses and each role – but that is actually what
I’d rather want to avoid for maintenance reasons and simplicity.
What group and role definition model would you suggest me with Keycloak?
Cheers
Ben