[keycloak-dev] roles vs. groups

Stan Silvert ssilvert at redhat.com
Wed Nov 4 11:21:17 EST 2015 

On 11/4/2015 10:37 AM, Bill Burke wrote:
>
> On 11/4/2015 10:26 AM, Stan Silvert wrote:
>> On 11/4/2015 9:15 AM, Bill Burke wrote:
>>> I've alread stated the reason for composite roles:
>>>
>>> Say you have a set of applications under the Sales and Marketing
>>> Department:  A Leads Application, Eloqua, and Salesforce.  Each of the
>>> applications has a set of roles that are used to manage access to
>>> various features of each application.  For example, each app might have
>>> an "admin" role.  You would then want to organize permissions into
>>> categories and assign coarser grain roles to individual users.  So, you
>>> would create a "Sales Admin" composite role that contains the "admin"
>>> role of each sales application.  Composite roles allow you to group
>>> together roles into role catagories that you can assign to a specific
>>> user or user group.
>>>
>>> User Groups are different as you want to assign a set of permissions to
>>> a group of users.
>>>
>>> So composite roles are used to group together roles of a set of
>>> applications.  User Groups are used to grant a set of perissions to a
>>> set of users.
>> Maybe it's just me, but I think of user groups as just a way to group
>> users, and roles as a way to group permissions.  Roles are assigned to
>> user groups.  Permissions are assigned to roles.
>>
> We dont' have the concept of a permission, so, assigning roles to a
> composite role is equivalent right now of assigning permissions to a role.
Isn't that what Pedro is working on right now?
>
>
>> I don't see why you need anything more.  In your example, each
>> application has an admin role that has a set of permissions for the
>> application.  Each admin role can be assigned to a Sales Admin user
>> group.   Sales Admin users are assigned to the Sales Admin user group.
>> Done.
>>
> App developers focus on designing the roles/permission model for the
> applications and would deal with roles, composite roles, and clients.
>
> User admins would focus on managing users and defining groups and
> assigning permissions/roles to groups and users.  Instead of dealing
> with fine-grain roles/permissions for each and every application, user
> admins just deal with coarse grain composite roles.
>

More information about the keycloak-dev mailing list