[keycloak-user] Relationship of Groups to Roles?

Bill Burke bburke at redhat.com
Fri Dec 11 08:48:53 EST 2015 


On 12/10/2015 4:09 PM, Marc Boorshtein wrote:
>>
>> Roles in Keycloak are similar to Java EE roles.  Users are granted a
>> role, and become members of a Group.  Groups in Keycloak are a
>> collection of users.  Groups can have roles and attributes assigned to
>> them that user members inherit.
>>
>
> OK, so let me see if i'm conceptualizing this correctly.  I've created
> a role called "MyRole".  I have a group called "MyGroup" and a user
> named Matt Mosley (mmosley).  I can grant mmosley the role MyRole
> directly or I can add mmosley to MyGroup and grant MyGroup MyRole?
> Additionally if the group MyGroup has an attribute x with the value y
> then mmosley, once assigned to MyGroup, would inherit the group
> attribute x=y?
>
>
>> Clients/Applications work with roles, not with groups.   Applications
>> assign privileges to roles, not users or groups.  Keycloak currently
>> does not have the concept of Permissions/Entitlements.  Applications
>> have to handle how privileges are assigned to a role themselves.
>>
>
> I think we're saying the same thing here.  Roles are the integration
> point with KeyCloak (not groups) and its the application that gives a
> role meaning.
>
> So if I were to create a directory structure for an LDAP tree it would
> probably look something like:
>
> ou=keycloack
>    - ou=users
>      - uid=mmosley
>    - ou=groups
>     - cn=MyGroup
>    - ou=roles
>      - cn=myrole
>      - ou=app1
>        - cn=anAppSpecificRole
>
> OpenUnison doesn't have the concept of "roles" vs "groups".  So I
> would probably have all roles start with a "role." and groups start
> with a "group." so I can differentiate between them.
>
> Am I on the right track?  I've got Keycloak up and running so I'll
> play around with the apis too but didn't want to do that in a vacuum.
>


Yes, you are on the right track.  we're always open to suggestions on 
how to model things better too.

Also You could certainly populate group membership information in your 
tokens/saml assertions and combine the concepts of group/role.  But 
Keycloak itself has separate meanings for them.

Also, Pedro is working a permission service based on UMA.  You should be 
seeing alphas/betas coming out soon.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list