[keycloak-user] Keycloak to set up Teams and Organizations
Bill Burke
bburke at redhat.com
Wed Oct 14 19:23:46 EDT 2015
On 10/14/2015 7:06 PM, Nic Grange wrote:
>>From my understanding Realms allow Keycloak itself to be Multi Tenant, completely isolated Tenants.
>
Exactly.
>
>
> Adding Groups (or Teams/Organisations) would make it easier for Applications leveraging Keycloak to be Multi Tenanted themselves (within a Realm). While some people seem to be using Composite roles with great affect, it is probably not what they were intended for.
>
> The biggest benefit of Groups I see is being able to link groups of users to specific data so that their role only applies to that data and not to everything in the system/application (e.g. A Group Admin role allows a user permission to administrator only data created/owned by users in that group).
>
I like that idea. A better alternative might be that each group has an
"user-admin" role. If a user has the "user-admin" role of the group, it
can administer users in that group and assign roles defined in that
group. One thing to really think about is, what about sub-groups. Can
an admin of the parent group administer sub groups?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list