[keycloak-dev] groups vs. organizations

Scott Rehorn Scott.Rehorn at software.dell.com
Fri Jul 31 14:42:55 EDT 2015

I think it is true that an organization is kind of a special case of a
Œgroup¹. We had specific requirements for the concept of what amounted to
a single group just to bind a few shared attributes between related
relying parties (clients). We decided to deliberately push a group concept
for Œlater¹ because there are a bunch of complicating factors with groups.
One is that groups are often defined in people¹s IdPs (esp. with Active
Directory), and the policy for mapping or merging those defs dragged in
more complexity than we wanted to do right away. Another is that groups
often want to be nested and that¹s again more complexity than we were
willing to bite off for so simple a function as an org.

To answer your specific question about the specific common set of
attributes - if I¹m following your question, we reluctantly call this
 ¹schema¹ in that it¹s a known, predefined set of attribute keys which can
have arbitrary values (and that new attribute keys are not normally added
by userland code). We have expectation that defining attributes as
enforceable ³schema" (including validation for values) is a feature that
will be required for orgs and users but our first cut doesn¹t go that far.

So I think that while organizations *could* be implemented as a group with
special constraints, it would stretch the abstraction a little too far.
Normally, I¹m a Œturtles-all-the-way-down¹ kind of guy, but in this case,
I think that org (or tenants) is a valuable concept to exist separate from
the idea of a group. In fact, it might come down to an implementation
style - from the API/UX perspective, presentation of Œorgs¹ might just be
sugar on top of more general graph-style group implementation.

On 7/30/15, 3:28 PM, "Bill Burke" <bburke at redhat.com> wrote:

>I'm trying to wrap my head around how your concept of an organization is
>different than a group.  Wouldn't an organization just be a more
>stricter form of a group?  A group could have any arbitrary roles and
>attributes associated with it.  An organization could too.
>Is the difference that the organization has a specific common set of
>attributes?  i.e. what's in saml organization descriptors.
>My thinking is that we'd have both organizations and groups.  They would
>work the same exact way except organization would have some pre-defined
>attribute types.
>Bill Burke
>JBoss, a division of Red Hat

More information about the keycloak-dev mailing list