[keycloak-user] Keycloak to set up Teams and Organizations

Bill Burke bburke at redhat.com
Wed Oct 14 19:23:46 EDT 2015

On 10/14/2015 7:06 PM, Nic Grange wrote:
>>From my understanding Realms allow Keycloak itself to be Multi Tenant, completely isolated Tenants.


> Adding Groups (or Teams/Organisations) would make it easier for Applications leveraging Keycloak to be Multi Tenanted themselves (within a Realm). While some people seem to be using Composite roles with great affect, it is probably not what they were intended for.
> The biggest benefit of Groups I see is being able to link groups of users to specific data so that their role only applies to that data and not to everything in the system/application (e.g. A Group Admin role allows a user permission to administrator only data created/owned by users in that group).

I like that idea.  A better alternative might be that each group has an 
"user-admin" role.  If a user has the "user-admin" role of the group, it 
can administer users in that group and assign roles defined in that 
group.  One thing to really think about is, what about sub-groups.  Can 
an admin of the parent group administer sub groups?

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-user mailing list