[keycloak-dev] RFC: organizations

Juraci Paixão Kröhling jpkroehling at redhat.com
Tue Jul 28 04:18:21 EDT 2015

On 07/28/2015 09:04 AM, Stian Thorgersen wrote:
> ----- Original Message -----
>> From: "Juraci Paixão Kröhling" <juraci at kroehling.de>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Tuesday, 28 July, 2015 8:12:14 AM
>> Subject: Re: [keycloak-dev] RFC: organizations
>> We have a *very* similar use case and we have implemented the notion of
>> "Organizations" (and "Personas") in Hawkular, in a module named
>> "Hawkular Accounts". In our case, an user can belong to multiple
>> organizations, and can have different roles within each organization
>> ("Super User" in "Operations", but "Monitor" on "Marketing").
> Can you not already model that in Keycloak by having a separate clients for "Operations" and "Marketing" with the corresponding roles?

With the current features related to Clients, it might actually be 
possible. Would it be possible to restrict which users can login with 
which clients? For instance:

- jdoe registers
- jdoe creates "Acme, Inc" (and is then super user there)
- jsmith registers
- jsmith creates "Red Hat, Inc" (and is then super user there)
- jdoe invites jsmith to "Acme, Inc" to be "Monitor" there

- jdoe should never have access to "Red Hat, Inc"
- jsmith should have access to:
   - his "own" resources (not part of any organization)
   - resources owned by "Acme, Inc" (as Monitor)
   - resources owned by "Red Hat, Inc" (as Super User).

This scenario is the main reason why we have Hawkular Accounts between 
the individual HK components and Keycloak. With this covered, I think 
pretty much all of the other use cases can be worked out quite easily.

- Juca.

More information about the keycloak-dev mailing list