Re: [keycloak-user] Relationship of Groups to Roles?
I'm sure people will confuse Groups and Roles. Groups in LDAP generally
seem to be equivalent to Roles in Java EE. But that's not the case in
keycloak
Roles in Keycloak are similar to Java EE roles. Users are granted a
role, and become members of a Group. Groups in Keycloak are a
collection of users. Groups can have roles and attributes assigned to
them that user members inherit.
Clients/Applications work with roles, not with groups. Applications
assign privileges to roles, not users or groups. Keycloak currently
does not have the concept of Permissions/Entitlements. Applications
have to handle how privileges are assigned to a role themselves.
On 12/10/2015 3:33 PM, Marc Boorshtein wrote:
I'm trying to wrap my head around the use cases where each would
be
used. If I understand it correctly, a role a unit of authorization.
Roles can have entitlements, either defined by Keycloak or an
application. A role can have other roles as members. It can also
have groups and individual users. Groups aren't directly linked to
entitlements, but are instead used to simply create a way to create a
set of users (and groups). Is this an accurate representation?
I ask because I want to build some integrations between OpenUnison and
MyVirtualDirectory. Both work primarily on the LDAP concepts of
users, groups and users. Beyond SSO integration between OpenUnison
and Keycloak, I'm looking at creating a provisioning target so
OpenUnison workflows can provision access to Keycloak roles as well
as an insert for MyVirtualDirectory that can represent Keycloak roles
and users as LDAP Objects for legacy applications.
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein(a)tremolosecurity.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com