[keycloak-dev] user groups vs. client groups
Bill Burke
bburke at redhat.com
Tue Nov 3 16:20:58 EST 2015
In my previous email I talked about combining Groups and Role
Namespaces. Now I want to talk about User Groups vs. Client Groups.
User Groups would manage a set of users. Members would automatically
inherit a set of "permissions": a set of roles. User Groups would also
provide a set of attributes that the user inherits.
I'd like to introduce the concept of a Client Group. Client Group would
have:
* Roles - basically a role namespace
* Permissions - set of roles service accounts members inherit
* Scope - same as our current concept of scope
* Protocol Policies - common protocol configuration.
Each Client Group would have some default roles defined. i.e. roles
that allow a user to edit any client in the client group.
Each Client would have the same configuration options. They would be
able to have an additional set of roles, permissions, scope, and
overridable Protocol Policies.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list