From my experience, I'd tell that:

What is a difference between keycloak roles and usergroups ? are they interchangeable i.e. can we use roles instead of groups or vice versa to address a problem ? Is it possible to have roles within roles, just like groups ? A clear guidelines on how to use groups and roles will help. thanks /Vinay _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi Dmitry, do you know if there is any way to retrieve the group context of a role?

My use case would be that I have multiple sport clubs (group) with  multiple teams (subgroup) -club1 --team1_1 --team1_2 -club2 --team2_1 --team2_1 I have for example the role COACH but of course this role makes only  sense in context of the team.

As far as I understand keycloak this is currently not possible Kind Regards, Max Am 10.07.18 um 14:58 schrieb Dmitry Telegin: > Hi Vinay, > >  From my experience, I'd tell that: > - roles are more likely to reflect person's functions in the > organization; > - groups are more likely to reflect organizational structure. > > For example, if there are offices and departments (like "NY > Office", > "IT Department"), that would normally map to nested groups. > > On the other hand, business functions would rather map to roles > (like > "managers", "developers", "sysadmins" etc.) > > There's also a number of technical differences: > - akin to nested groups, there are composite roles. However, the > logic > is different: if you grant a composite role to a user, every child > role > would be granted, too (which is not true for groups); > - you can assign a role to a group (not vice versa); > - by default, Keycloak adapters can restrict access based on roles > only. If you want to use groups for the same, you'll need to turn > on > authorization services and create corresponding policies. > > Could you please elaborate on your particular use case? If you > describe > it briefly, I think we'll be able decide what's better for you. > > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info(a)acutus.pro > > On Mon, 2018-07-09 at 12:39 -0400, Vinay wrote: > > What is a difference between keycloak roles and usergroups ? are > > they > > interchangeable i.e. can we use roles instead of groups or vice > > versa > > to > > address a problem ? Is it possible to have roles within roles, > > just > > like > > groups ? > > A clear guidelines on how to use groups and roles will help. > > > > thanks > > /Vinay > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi Dmitry, thank you for your reply > Keycloak, roles are not related to groups (however a group can reference roles to be automatically assigned to group members). Yes I just was not sure if I overlooked something here. Regarding the fine grained approach. The problem would be that an User may be a PLAYER in a certain team/group but a COACH in a different team/group. > > I was thinking about creating roles like for example COACH@team1_1 and PLAYER@team_1_2. So during the permission evaulation I could parse this information. Unfortunatelly Keycloak has neither paging query support for Roles nor Groups and therefore this approach currently would not scale as you may generate a few thousand roles. My current idea is that I handle this hierachical role concept in a custom application and just use keycloak for authentication and global role management Kind Regards, Max Am 23.07.18 um 03:18 schrieb Dmitry Telegin: > Hi Max, > > On Thu, 2018-07-19 at 14:37 +0000, Max Bruchmann wrote: > > Hi Dmitry, > > > > do you know if there is any way to retrieve the group context of a > > role? > > Could you please elaborate on the "group context of a role"? In > Keycloak, roles are not related to groups (however a group can > reference roles to be automatically assigned to group members). > > > My use case would be that I have multiple sport clubs (group) with > > multiple teams (subgroup) > > > > -club1 > > > > --team1_1 > > > > --team1_2 > > > > -club2 > > > > --team2_1 > > > > --team2_1 > > > > > > I have for example the role COACH but of course this role makes only > > sense in context of the team. > > I agree with that, but what's the (bigger) problem you're trying to > solve? > > I'd imagine that you want to grant coaches some privileged access to the players' data; the coach should manage only the team he is assigned to. If that's what you're trying to do, I'd suggest the following: > > - create the "coach" role; > - grant this role to all coaches; > - put your coaches into the corresponding groups (teams); > - use fine-grained permissions to implement access rules (grant access to the players' data if the requester has the "coach" role and belongs to the same group as the player). > > Hope it helps, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info(a)acutus.pro > > > As far as I understand keycloak this is currently not possible > > > > > > Kind Regards, > > > > Max > > > > > > Am 10.07.18 um 14:58 schrieb Dmitry Telegin: > > > Hi Vinay, > > > > > >   From my experience, I'd tell that: > > > - roles are more likely to reflect person's functions in the > > > organization; > > > - groups are more likely to reflect organizational structure. > > > > > > For example, if there are offices and departments (like "NY > > > Office", > > > "IT Department"), that would normally map to nested groups. > > > > > > On the other hand, business functions would rather map to roles > > > (like > > > "managers", "developers", "sysadmins" etc.) > > > > > > There's also a number of technical differences: > > > - akin to nested groups, there are composite roles. However, the > > > logic > > > is different: if you grant a composite role to a user, every child > > > role > > > would be granted, too (which is not true for groups); > > > - you can assign a role to a group (not vice versa); > > > - by default, Keycloak adapters can restrict access based on roles > > > only. If you want to use groups for the same, you'll need to turn > > > on > > > authorization services and create corresponding policies. > > > > > > Could you please elaborate on your particular use case? If you > > > describe > > > it briefly, I think we'll be able decide what's better for you. > > > > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info(a)acutus.pro > > > > > > On Mon, 2018-07-09 at 12:39 -0400, Vinay wrote: > > > > What is a difference between keycloak roles and usergroups ? are > > > > they > > > > interchangeable i.e. can we use roles instead of groups or vice > > > > versa > > > > to > > > > address a problem ? Is it possible to have roles within roles, > > > > just > > > > like > > > > groups ? > > > > A clear guidelines on how to use groups and roles will help. > > > > > > > > thanks > > > > /Vinay > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user(a)lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user(a)lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user