Hi Max,
What about user attributes?
No matter which team/group the Coach is in, you can go to User > Attributes, and add a
multivalued attribute describing teams/groups this coach should have access to. (The
values should be separated with ##)
After that, you'll be able (hopefully :) to use this info in a JavaScript policy for
permission evaulation.
Cheers,
Dmitry
On Wed, 2018-07-25 at 09:06 +0000, Max Bruchmann wrote:
Hi Dmitry,
thank you for your reply
> Keycloak, roles are not related to groups (however a group can reference roles to be
automatically assigned to group members).
Yes I just was not sure if I overlooked something here.
Regarding the fine grained approach. The problem would be that an User may be a PLAYER in
a certain team/group but a COACH in a different team/group.
> > I was thinking about creating roles like for example COACH@team1_1 and
PLAYER@team_1_2. So during the permission evaulation I could parse this information.
Unfortunatelly Keycloak has neither paging query support for Roles nor Groups and
therefore this approach currently would not scale as you may generate a few thousand
roles.
My current idea is that I handle this hierachical role concept in a custom application
and just use keycloak for authentication and global role management
Kind Regards,
Max
Am 23.07.18 um 03:18 schrieb Dmitry Telegin:
> Hi Max,
>
> On Thu, 2018-07-19 at 14:37 +0000, Max Bruchmann wrote:
> > Hi Dmitry,
> >
> > do you know if there is any way to retrieve the group context of a
> > role?
>
> Could you please elaborate on the "group context of a role"? In
> Keycloak, roles are not related to groups (however a group can
> reference roles to be automatically assigned to group members).
>
> > My use case would be that I have multiple sport clubs (group) with
> > multiple teams (subgroup)
> >
> > -club1
> >
> > --team1_1
> >
> > --team1_2
> >
> > -club2
> >
> > --team2_1
> >
> > --team2_1
> >
> >
> > I have for example the role COACH but of course this role makes only
> > sense in context of the team.
>
> I agree with that, but what's the (bigger) problem you're trying to
> solve?
>
> I'd imagine that you want to grant coaches some privileged access to the
players' data; the coach should manage only the team he is assigned to. If that's
what you're trying to do, I'd suggest the following:
>
> - create the "coach" role;
> - grant this role to all coaches;
> - put your coaches into the corresponding groups (teams);
> - use fine-grained permissions to implement access rules (grant access to the
players' data if the requester has the "coach" role and belongs to the same
group as the player).
>
> Hope it helps,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info(a)acutus.pro
>
> > As far as I understand keycloak this is currently not possible
> >
> >
> > Kind Regards,
> >
> > Max
> >
> >
> > Am 10.07.18 um 14:58 schrieb Dmitry Telegin:
> > > Hi Vinay,
> > >
> > > From my experience, I'd tell that:
> > > - roles are more likely to reflect person's functions in the
> > > organization;
> > > - groups are more likely to reflect organizational structure.
> > >
> > > For example, if there are offices and departments (like "NY
> > > Office",
> > > "IT Department"), that would normally map to nested groups.
> > >
> > > On the other hand, business functions would rather map to roles
> > > (like
> > > "managers", "developers", "sysadmins" etc.)
> > >
> > > There's also a number of technical differences:
> > > - akin to nested groups, there are composite roles. However, the
> > > logic
> > > is different: if you grant a composite role to a user, every child
> > > role
> > > would be granted, too (which is not true for groups);
> > > - you can assign a role to a group (not vice versa);
> > > - by default, Keycloak adapters can restrict access based on roles
> > > only. If you want to use groups for the same, you'll need to turn
> > > on
> > > authorization services and create corresponding policies.
> > >
> > > Could you please elaborate on your particular use case? If you
> > > describe
> > > it briefly, I think we'll be able decide what's better for you.
> > >
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > +42 (022) 888-30-71
> > > E-mail: info(a)acutus.pro
> > >
> > > On Mon, 2018-07-09 at 12:39 -0400, Vinay wrote:
> > > > What is a difference between keycloak roles and usergroups ? are
> > > > they
> > > > interchangeable i.e. can we use roles instead of groups or vice
> > > > versa
> > > > to
> > > > address a problem ? Is it possible to have roles within roles,
> > > > just
> > > > like
> > > > groups ?
> > > > A clear guidelines on how to use groups and roles will help.
> > > >
> > > > thanks
> > > > /Vinay
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user(a)lists.jboss.org
> > > >
https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > >
https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-user