[keycloak-dev] composite roles in

Bill Burke bburke at redhat.com
Wed Feb 5 09:05:26 EST 2014

On 2/5/2014 8:37 AM, Stian Thorgersen wrote:
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Wednesday, 5 February, 2014 1:24:24 PM
>> Subject: Re: [keycloak-dev] composite roles in
>> On 2/5/2014 6:57 AM, Stian Thorgersen wrote:
>>> Instead of allowing multiple default roles should we not have a single
>>> initial role on a realm? This means we can remove the default roles page,
>>> and instead have a simple select list on the realm settings page.
>> I'd also like to consolidate default roles into one place on Realm Settings.
>> Implementation wise, default roles wouldn't be a composite as I don't
>> want it showing up in role listings, or having to put in special logic
>> not to show it.
> What I was thinking was that the default roles would be a single role. It could be a composite role if the user wanted to. You simply select which role you want to use as the default role that is assigned to all user when created.
> This then lets you manage this role as a normal role, which means there's no special logic or screens required for it. It's possible to add/remove this role to users, apps, etc if you want to. And as its can be a composite role you can add/remove roles to it if you want as well.
> 'Default roles' is confusing as well, is it not some initial roles granted users when they are created?

There's special logic as you don't want "DEFAULT ROLE" showing up in the 
OAuth Grant page.  There's also an additional screen required, in that 
you have to specify what your default role is.  Also you have to have 2 
clicks to actually view what the default roles are.

IMO, just have 1 default-roles screen where you can see and manage your 
default roles in one place.

>>> We could also have both a initial role and a default role associated with a
>>> realm. The initial role is provided to users when they register or are
>>> created through admin console, while the default role is always granted to
>>> all users.
>> I don't agree you need two different types here.  What we really need is
>> the ability to apply bulk changes to users.
> Are there not situations where you have some roles that all logged-in users should have? For example 'view-profile' would be an example of a role that all users should have regardless.

Right now, this is automatically added to default roles, right?

> Then again there's the situation where you want to have roles allocated to users when they register, but you may want to remove those later. I'm not sure I'm that convinced about this use-case, but both you and Marek argued this would be needed. Reason why I'm unsure about it, is that if a user self-registers, then looses some registration roles the user can simply re-register to gain those permissions again.

The case is when I want to disallow a role for 1 user, so I have to 
remove that role from "default roles" which would then require me to add 
that role to every other user.

>> Apps or realms can have composite roles.  These composites can be made
>> up of any realm or app role.  Does the app-role screen not allow
>> composites, not work?
> This doesn't make sense to me. Why can you have an app specific role that can be made up of roles from other apps?

Makes a lot of sense when you have an application that is a REST service 
that is being called by another application.  Our demo for instance.  So 
a "USER" role in the customer-portal would have "CUSTOMER_READ" 
privilege in the database-service.

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-dev mailing list