[keycloak-user] Keycloak to set up Teams and Organizations

Nic Grange nicolas.grange at retrievercommunications.com
Wed Oct 14 19:52:59 EDT 2015

Thanks for the quick response.
Can an admin of the parent group administer sub groups?
Yes, I think so. It should be hierarchical. If you don’t want them to have that privilege then make them only admin of the sub-group.

I like the idea of each group having an "user-admin” role.

Say you have an application that allows users to create/modify/share documents.
I see Groups as useful for tagging the document with the Group Id (additionally to the User Id) 
so that if another user logs in from the same group and the original user has chosen to allow this document to be shared within their group,
the application can securely retrieve all the documents that are shared within their group. 

Hope this makes sense,

>Date: Wed, 14 Oct 2015 19:23:46 -0400
>From: Bill Burke <bburke at redhat.com>
>Subject: Re: [keycloak-user] Keycloak to set up Teams and
>	Organizations
>To: keycloak-user at lists.jboss.org
>Message-ID: <561EE402.7090608 at redhat.com>
>Content-Type: text/plain; charset=windows-1252; format=flowed
>On 10/14/2015 7:06 PM, Nic Grange wrote:
>>>From my understanding Realms allow Keycloak itself to be Multi Tenant, completely isolated Tenants.
>> Adding Groups (or Teams/Organisations) would make it easier for Applications leveraging Keycloak to be Multi Tenanted themselves (within a Realm). While some people seem to be using Composite roles with great affect, it is probably not what they were intended for.
>> The biggest benefit of Groups I see is being able to link groups of users to specific data so that their role only applies to that data and not to everything in the system/application (e.g. A Group Admin role allows a user permission to administrator only data created/owned by users in that group).
>I like that idea.  A better alternative might be that each group has an 
>"user-admin" role.  If a user has the "user-admin" role of the group, it 
>can administer users in that group and assign roles defined in that 
>group.  One thing to really think about is, what about sub-groups.  Can 
>an admin of the parent group administer sub groups?
>Bill Burke

More information about the keycloak-user mailing list