[keycloak-user] Relationship of Groups to Roles?

Marc Boorshtein marc.boorshtein at tremolosecurity.com
Thu Dec 10 16:09:29 EST 2015 

>
> Roles in Keycloak are similar to Java EE roles.  Users are granted a
> role, and become members of a Group.  Groups in Keycloak are a
> collection of users.  Groups can have roles and attributes assigned to
> them that user members inherit.
>

OK, so let me see if i'm conceptualizing this correctly.  I've created
a role called "MyRole".  I have a group called "MyGroup" and a user
named Matt Mosley (mmosley).  I can grant mmosley the role MyRole
directly or I can add mmosley to MyGroup and grant MyGroup MyRole?
Additionally if the group MyGroup has an attribute x with the value y
then mmosley, once assigned to MyGroup, would inherit the group
attribute x=y?


> Clients/Applications work with roles, not with groups.   Applications
> assign privileges to roles, not users or groups.  Keycloak currently
> does not have the concept of Permissions/Entitlements.  Applications
> have to handle how privileges are assigned to a role themselves.
>

I think we're saying the same thing here.  Roles are the integration
point with KeyCloak (not groups) and its the application that gives a
role meaning.

So if I were to create a directory structure for an LDAP tree it would
probably look something like:

ou=keycloack
  - ou=users
    - uid=mmosley
  - ou=groups
   - cn=MyGroup
  - ou=roles
    - cn=myrole
    - ou=app1
      - cn=anAppSpecificRole

OpenUnison doesn't have the concept of "roles" vs "groups".  So I
would probably have all roles start with a "role." and groups start
with a "group." so I can differentiate between them.

Am I on the right track?  I've got Keycloak up and running so I'll
play around with the apis too but didn't want to do that in a vacuum.

Thanks


> On 12/10/2015 3:33 PM, Marc Boorshtein wrote:
>> I'm trying to wrap my head around the use cases where each would be
>> used.  If I understand it correctly, a role a unit of authorization.
>> Roles can have entitlements, either defined by Keycloak or an
>> application.  A role can have other roles as members.  It can also
>> have groups and individual users.  Groups aren't directly linked to
>> entitlements, but are instead used to simply create a way to create a
>> set of users (and groups).  Is this an accurate representation?
>>
>> I ask because I want to build some integrations between OpenUnison and
>> MyVirtualDirectory.  Both work primarily on the LDAP concepts of
>> users, groups and users.  Beyond SSO integration between OpenUnison
>> and Keycloak, I'm looking at creating a provisioning target so
>> OpenUnison workflows can provision access to Keycloak roles  as well
>> as an insert for MyVirtualDirectory that can represent Keycloak roles
>> and users as LDAP Objects for legacy applications.
>>
>> Thanks
>>
>>
>> Marc Boorshtein
>> CTO Tremolo Security
>> marc.boorshtein at tremolosecurity.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list