[keycloak-dev] roles vs. groups
Jorge Solórzano
jorsol at gmail.com
Tue Nov 3 16:33:07 EST 2015
I think the concepts should be standardized:
Permissions: are the most atomic level of a security policy and they
are statements of functionality. Can you open a door? Can you read a
file? Can you delete a customer record? Can you push a button?
Roles: are effectively a collection of permissions used to simplify
the management of permissions and users. So users can be assigned
roles instead of being assigned permissions directly, which can get
complicated with larger user bases and more complex applications. So,
for example, a bank application might have an administrator role or a
bank teller role.
Users: A user is the "who" of an application.
Groups: Is a collection of users and define a set of roles/permisions,
users are members of groups.
The asociation for me is something like this:
Groups can have Roles and/or Permisions asociated to it.
User can have Roles and Permisions and can be members of Groups, by
inheritance users that are members of groups have all the permisions
asociated to the groups.
Roles can have one ore more permissions, this are explicit permisions.
There should be deny permisions too.
Jorge Solórzano
More information about the keycloak-dev
mailing list