Keycloak, roles are not related to groups (however a group can
reference roles to be automatically assigned to group members).
Yes I just was not sure if I overlooked something here.
Regarding the fine grained approach. The problem would be that an User may be a PLAYER in
a certain team/group but a COACH in a different team/group.
I was thinking about creating roles like for example COACH@team1_1 and PLAYER@team_1_2. So
during the permission evaulation I could parse this information.
Unfortunatelly Keycloak has neither paging query support for Roles nor Groups and
therefore this approach currently would not scale as you may generate a few thousand
roles.
My current idea is that I handle this hierachical role concept in a custom application and
just use keycloak for authentication and global role management
Kind Regards,
Max
Am 23.07.18 um 03:18 schrieb Dmitry Telegin:
Hi Max,
On Thu, 2018-07-19 at 14:37 +0000, Max Bruchmann wrote:
> Hi Dmitry,
>
> do you know if there is any way to retrieve the group context of a
> role?
Could you please elaborate on the "group context of a role"? In
Keycloak, roles are not related to groups (however a group can
reference roles to be automatically assigned to group members).
> My use case would be that I have multiple sport clubs (group) with
> multiple teams (subgroup)
>
> -club1
>
> --team1_1
>
> --team1_2
>
> -club2
>
> --team2_1
>
> --team2_1
>
>
> I have for example the role COACH but of course this role makes only
> sense in context of the team.
I agree with that, but what's the (bigger) problem you're trying to
solve?
I'd imagine that you want to grant coaches some privileged access to the players'
data; the coach should manage only the team he is assigned to. If that's what
you're trying to do, I'd suggest the following:
- create the "coach" role;
- grant this role to all coaches;
- put your coaches into the corresponding groups (teams);
- use fine-grained permissions to implement access rules (grant access to the
players' data if the requester has the "coach" role and belongs to the same
group as the player).
Hope it helps,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
> As far as I understand keycloak this is currently not possible
>
>
> Kind Regards,
>
> Max
>
>
> Am 10.07.18 um 14:58 schrieb Dmitry Telegin:
>> Hi Vinay,
>>
>> From my experience, I'd tell that:
>> - roles are more likely to reflect person's functions in the
>> organization;
>> - groups are more likely to reflect organizational structure.
>>
>> For example, if there are offices and departments (like "NY
>> Office",
>> "IT Department"), that would normally map to nested groups.
>>
>> On the other hand, business functions would rather map to roles
>> (like
>> "managers", "developers", "sysadmins" etc.)
>>
>> There's also a number of technical differences:
>> - akin to nested groups, there are composite roles. However, the
>> logic
>> is different: if you grant a composite role to a user, every child
>> role
>> would be granted, too (which is not true for groups);
>> - you can assign a role to a group (not vice versa);
>> - by default, Keycloak adapters can restrict access based on roles
>> only. If you want to use groups for the same, you'll need to turn
>> on
>> authorization services and create corresponding policies.
>>
>> Could you please elaborate on your particular use case? If you
>> describe
>> it briefly, I think we'll be able decide what's better for you.
>>
>> Dmitry Telegin
>> CTO, Acutus s.r.o.
>> Keycloak Consulting and Training
>>
>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>> +42 (022) 888-30-71
>> E-mail: info(a)acutus.pro
>>
>> On Mon, 2018-07-09 at 12:39 -0400, Vinay wrote:
>>> What is a difference between keycloak roles and usergroups ? are
>>> they
>>> interchangeable i.e. can we use roles instead of groups or vice
>>> versa
>>> to
>>> address a problem ? Is it possible to have roles within roles,
>>> just
>>> like
>>> groups ?
>>> A clear guidelines on how to use groups and roles will help.
>>>
>>> thanks
>>> /Vinay
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user