[keycloak-dev] roles vs. groups

Pedro Igor Silva psilva at redhat.com
Tue Nov 3 17:13:23 EST 2015


----- Original Message -----
> From: "Jorge Solórzano" <jorsol at gmail.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Tuesday, November 3, 2015 7:33:07 PM
> Subject: Re: [keycloak-dev] roles vs. groups
> 
> I think the concepts should be standardized:
> 
> Permissions: are the most atomic level of a security policy and they
> are statements of functionality. Can you open a door? Can you read a
> file? Can you delete a customer record? Can you push a button?
> 
> Roles: are effectively a collection of permissions used to simplify
> the management of permissions and users. So users can be assigned
> roles instead of being assigned permissions directly, which can get
> complicated with larger user bases and more complex applications. So,
> for example, a bank application might have an administrator role or a
> bank teller role.
> 
> Users: A user is the "who" of an application.
> 
> Groups: Is a collection of users and define a set of roles/permisions,
> users are members of groups.
> 
> The asociation for me is something like this:
> Groups can have Roles and/or Permisions asociated to it.
> User can have Roles and Permisions and can be members of Groups, by
> inheritance users that are members of groups have all the permisions
> asociated to the groups.
> Roles can have one ore more permissions, this are explicit permisions.
> 
> There should be deny permisions too.

Don't you think that positive logic is enough ?

> 
> 
> Jorge Solórzano
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list