[keycloak-dev] roles vs. groups

Bill Burke bburke at redhat.com
Tue Nov 3 16:08:12 EST 2015 


On 11/3/2015 4:04 PM, Bill Burke wrote:
> Stian and I were having a conversation about roles, keycloak composite
> roles, vs. groups.  It seems that groups and roles are often confused
> and one can be equivalent to the other.  One common thread is the following:
>
> Groups are user centric. Roles are permission centric.
>
> "A group is a means of organising users, whereas a role is usually a
> means of organising rights."
>
> So, keycloak composite roles would be a way to organise rights for a set
> of applications.  For example, you might have a set of sales services,
> each sales service has an "admin" and "user" role.  You'd define a
> "sales user" and "sales admin" role which would be a composite
> containing the "admin" and/or "user" role of each sales service.
>
> Conversely, a keycloak group would provide a way to organize a set of
> users.  You would create a group called "sales associates" add members
> to it and then assign the roles members of the group can partake.
>
> Really, in Keycloak with composite roles, you can have a role act as a
> group.  So, while groups and roles are logically the sameAdding the
> concept of a group though provides distinction and clarity without
> overloading the concept of a composite.
>
> So, given that, Role mapping tab for Groups and Users would be named
> "Permissions" instead of "Role Mappings".  Each role would have a
> "Rights" tab instead of the "Composite Role" concept we have now.  That
> might bring more clarity?  Or will it just confuse concepts that are
> going to be introduced by Pedro and his Authz stuff?
>
> I'm also thinking that a Groups and Role Namespaces could be combined.
> So a group would have a set of "Permissions" (role mappings) that are
> automatically granted to user members.  The group could also define a
> set of "Roles" that apply to this group.  So "Sales" could have a
> "Manager" role.  This "Manager" role would be a composite role that
> assigns additional permissions.  This would also allow us to define
> default roles for
>

Whoops, I didn't finish....

Combining Groups and Role Namespaces would allow us to define built in 
roles for the Group that when assigned would allow management of the 
members of the group.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list