[keycloak-dev] roles vs. groups
Pedro Igor Silva
psilva at redhat.com
Tue Nov 3 17:13:23 EST 2015
----- Original Message -----
> From: "Jorge Solórzano" <jorsol at gmail.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Tuesday, November 3, 2015 7:33:07 PM
> Subject: Re: [keycloak-dev] roles vs. groups
>
> I think the concepts should be standardized:
>
> Permissions: are the most atomic level of a security policy and they
> are statements of functionality. Can you open a door? Can you read a
> file? Can you delete a customer record? Can you push a button?
>
> Roles: are effectively a collection of permissions used to simplify
> the management of permissions and users. So users can be assigned
> roles instead of being assigned permissions directly, which can get
> complicated with larger user bases and more complex applications. So,
> for example, a bank application might have an administrator role or a
> bank teller role.
>
> Users: A user is the "who" of an application.
>
> Groups: Is a collection of users and define a set of roles/permisions,
> users are members of groups.
>
> The asociation for me is something like this:
> Groups can have Roles and/or Permisions asociated to it.
> User can have Roles and Permisions and can be members of Groups, by
> inheritance users that are members of groups have all the permisions
> asociated to the groups.
> Roles can have one ore more permissions, this are explicit permisions.
>
> There should be deny permisions too.
Don't you think that positive logic is enough ?
>
>
> Jorge Solórzano
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list