Date: Wed, 14 Oct 2015 19:23:46 -0400 From: Bill Burke <bburke(a)redhat.com&gt; Subject: Re: [keycloak-user] Keycloak to set up Teams and Organizations To: keycloak-user(a)lists.jboss.org Message-ID: <561EE402.7090608(a)redhat.com&gt; Content-Type: text/plain; charset=windows-1252; format=flowed On 10/14/2015 7:06 PM, Nic Grange wrote: >>From my understanding Realms allow Keycloak itself to be Multi Tenant, completely isolated Tenants. > Exactly. > > > Adding Groups (or Teams/Organisations) would make it easier for Applications leveraging Keycloak to be Multi Tenanted themselves (within a Realm). While some people seem to be using Composite roles with great affect, it is probably not what they were intended for. > > The biggest benefit of Groups I see is being able to link groups of users to specific data so that their role only applies to that data and not to everything in the system/application (e.g. A Group Admin role allows a user permission to administrator only data created/owned by users in that group). > I like that idea. A better alternative might be that each group has an "user-admin" role. If a user has the "user-admin" role of the group, it can administer users in that group and assign roles defined in that group. One thing to really think about is, what about sub-groups. Can an admin of the parent group administer sub groups? -- Bill Burke