[keycloak-dev] composite roles in

Stian Thorgersen stian at redhat.com
Wed Feb 5 08:37:13 EST 2014

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 5 February, 2014 1:24:24 PM
> Subject: Re: [keycloak-dev] composite roles in
> On 2/5/2014 6:57 AM, Stian Thorgersen wrote:
> > Instead of allowing multiple default roles should we not have a single
> > initial role on a realm? This means we can remove the default roles page,
> > and instead have a simple select list on the realm settings page.
> >
> I'd also like to consolidate default roles into one place on Realm Settings.
> Implementation wise, default roles wouldn't be a composite as I don't
> want it showing up in role listings, or having to put in special logic
> not to show it.

What I was thinking was that the default roles would be a single role. It could be a composite role if the user wanted to. You simply select which role you want to use as the default role that is assigned to all user when created.

This then lets you manage this role as a normal role, which means there's no special logic or screens required for it. It's possible to add/remove this role to users, apps, etc if you want to. And as its can be a composite role you can add/remove roles to it if you want as well.

'Default roles' is confusing as well, is it not some initial roles granted users when they are created?

> > We could also have both a initial role and a default role associated with a
> > realm. The initial role is provided to users when they register or are
> > created through admin console, while the default role is always granted to
> > all users.
> >
> I don't agree you need two different types here.  What we really need is
> the ability to apply bulk changes to users.

Are there not situations where you have some roles that all logged-in users should have? For example 'view-profile' would be an example of a role that all users should have regardless.

Then again there's the situation where you want to have roles allocated to users when they register, but you may want to remove those later. I'm not sure I'm that convinced about this use-case, but both you and Marek argued this would be needed. Reason why I'm unsure about it, is that if a user self-registers, then looses some registration roles the user can simply re-register to gain those permissions again.

> > When listing and selecting roles it would be good if there was some
> > indication if it's a composite role or a simple role.
> >
> Ok, i'll add that.
> > Editing the roles is a bit confusing as the "Composite Realm Roles" and
> > "Composite Application Roles" sections are always shown. It was more clear
> > when there was a "composite" on/off toggle.
> Having a toggle at the Representation and data model was annoying,
> specifically having to specify composite: true in the json import file.
>   I forgot it twice when writing the tests :)
> So, i'll add the on/off toggle just to show/hide the composite field sets.
> > Also, can we have composite app roles? If so can a composite app role
> > consist of roles for other apps and realm?
> >
> Apps or realms can have composite roles.  These composites can be made
> up of any realm or app role.  Does the app-role screen not allow
> composites, not work?

This doesn't make sense to me. Why can you have an app specific role that can be made up of roles from other apps?

> Can't do cross-realm composites.
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Tuesday, 4 February, 2014 11:46:04 PM
> >> Subject: [keycloak-dev] composite roles in
> >>
> >> I still need to do a screencast (and eventually do some documentation).
> >>    I'm waiting on that as I want to see how our UI might change for the
> >> next release.  I had to change a bit in the import realm json
> >> representation to support composites.
> >>
> >> I'm going to take a look at Stan's Wildfly subsystem work next and see
> >> if it can be improved at all, or if its ready to go.
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> > .
> >
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com

More information about the keycloak-dev mailing list