[keycloak-dev] roles vs. groups

Jorge Solórzano jorsol at gmail.com
Tue Nov 3 19:02:38 EST 2015


Let's supose, you have a group called "GroupA", that group have roles
"Create invoice" this has 13 permisions, "Remove invoice" this has 5
permisions, "Update invoice" this has 19 permisions...

I asign 25 users to Group A, but 2 users, should not have 3 permisions
that are different in both users, should I need to create "GroupB" and
"GroupC" with the exact permissions, just to handle this 3 permisions
exclusions?

It probably can be a little overkill, but IHMO is more flexible than
an all or nothing approach.

Jorge Solórzano

On Tue, Nov 3, 2015 at 4:13 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
> ----- Original Message -----
>> From: "Jorge Solórzano" <jorsol at gmail.com>
>> To: "Bill Burke" <bburke at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Tuesday, November 3, 2015 7:33:07 PM
>> Subject: Re: [keycloak-dev] roles vs. groups
>>
>> I think the concepts should be standardized:
>>
>> Permissions: are the most atomic level of a security policy and they
>> are statements of functionality. Can you open a door? Can you read a
>> file? Can you delete a customer record? Can you push a button?
>>
>> Roles: are effectively a collection of permissions used to simplify
>> the management of permissions and users. So users can be assigned
>> roles instead of being assigned permissions directly, which can get
>> complicated with larger user bases and more complex applications. So,
>> for example, a bank application might have an administrator role or a
>> bank teller role.
>>
>> Users: A user is the "who" of an application.
>>
>> Groups: Is a collection of users and define a set of roles/permisions,
>> users are members of groups.
>>
>> The asociation for me is something like this:
>> Groups can have Roles and/or Permisions asociated to it.
>> User can have Roles and Permisions and can be members of Groups, by
>> inheritance users that are members of groups have all the permisions
>> asociated to the groups.
>> Roles can have one ore more permissions, this are explicit permisions.
>>
>> There should be deny permisions too.
>
> Don't you think that positive logic is enough ?
>
>>
>>
>> Jorge Solórzano
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list