[keycloak-dev] [authz] Roles as first class citizens

Pedro Igor Silva psilva at redhat.com
Sat Apr 1 10:21:36 EDT 2017


I think you are exploring now a new way of seeing things.

Today we have a flexible permissioning model where you define independent
policies to build these permissions or even build other policies. Where you
may have a library of policies, reuse these policies across different
permissions, etc.

What you are proposing, if I understood correctly, and that is what I meant
by the "new way of seeing things", is also allow users to create
permissions more easily without necessarily having to create policies. In
other words, we would be providing additional permission types (in addition
to resource/scope) for some very common use cases like the one you
mentioned where you just need a white/blacklist of roles.

Does it make sense ?

On Sat, Apr 1, 2017 at 10:11 AM, Bill Burke <bburke at redhat.com> wrote:

> I find creating role policies as cumbersome.  Also, how is the admin
> supposed to know if a policy with a specific role has already been
> created or not?  Maybe policies can have DENY and PERMIT role lists.
> when creating permissions you can just pick roles to add/remove to the
> permission.  I think the most used, most common case (90% of the time?)
> will be assigning role permissions to resources so we should make it as
> easy as possible.  Both within the admin UI and APIs.  Thoughts?
>
> Bill
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list