Hi,
I want to keep my roles and permissions simple, but I have some specific requirements and
I’m struggling to map these to Keycloak groups or roles. For an example, I need to assign
users to predefined roles based on their current „location“. Instead of describing the
actual roles of my portal, I’ll use a student portal to give an example of what I’m
looking for. It should be more self-explanatory.
Think of a student portal where there is a „global“ area where students can see the
courses they are enrolled in, and „course“ areas for each of the courses with course
material etc:
* Students can sign in to the student portal with their student id. They can see their
courses on the „global“ page, but not others.
* Students can’t create courses, but they can be administrators within selected
courses (think of tutors which get another role assigned by a course’s professor)
* Professors can see all courses, and create new ones. They can enroll students into
courses and assign them a specific role for this course (e.g. tutor, guest, „normal
student“).
* Professors have no permissions to courses they don’t own
Roles and permissions.
As mentioned above, there are two scopes global and course. A user has one role at a time,
depending on his/her current location.
* GLOBAL_PROFESSOR: This is the role a professor has on the global scope. Here she/he
can create new courses, and administer (create, delete, open, close) his own courses. Has
otherwise no permissions for courses of other professors.
* COURSE_PROFSSOR: This is the role a professor has on the course scope. Here she/he
has admin rights, can assign course roles to students etc. as explained above.
* GLOBAL_STUDENT: The role a student has on the global scope. Here she/he can see
courses, but can’t do much else.
* COURSE_STUDENT: The role a student has within the scope of a particular course. E.g.
See all course materials, upload new stuff, post messages in a course forum, etc.
* COURSE_TUTOR: Same as student, plus they can e.g. Enroll students to the course,
delete assets of other students of this course, etc.
* COURSE_GUEST: Can view course content, but can’t upload files or do much else but
view and download stuff
I could create groups for each of the courses and each role – but that is actually what
I’d rather want to avoid for maintenance reasons and simplicity.
What group and role definition model would you suggest me with Keycloak?
Cheers
Ben
Show replies by date