Yes, you are on the right track. we're always open to suggestions on how to
model things better too.
Excellent. I really like the separation of roles and groups. It
creates a very clean logical break between the two. I usually do this
with most of my deployments from a conceptual standpoint but the fact
that its built into keycloak is very nice.
Also You could certainly populate group membership information in your
tokens/saml assertions and combine the concepts of group/role. But Keycloak
itself has separate meanings for them.
Makes sense. I tend to take an "all of the above" approach to
identity. So few applications follow consistent standards that I'd
rather have several options then be forced to use just one.
Also, Pedro is working a permission service based on UMA. You should be
seeing alphas/betas coming out soon.
Very nice. Looking forward to it!