[keycloak-user] Groups/Roles/Clients best practices

Rashiq rysiek at occrp.org
Thu Dec 8 19:00:59 EST 2016 

Hi all,

first a little introduction. I am currently tasked with deploying Keycloak as 
an SSO solution for a middle-sized NGO. Keycloak seems like a perfect solution 
for us, with capabilities to scale and support more elaborate set-ups as we 
grow and new needs arise.

We will have a few thousand users in there, with varying access levels to 
different tools we use. And we need to make our setup as simple as possible 
(so that it's manageable) -- but not simpler.

We are also going to have several clients -- software that we want to 
authenticate against our Keycloak instance. Each of these will have certain 
resources available only to certain groups of users. For example, a discussion 
forum might have certain topics locked and available only to certain groups; 
or a data storage solution might have a certain set of data only available to 
a certain group of users.

Now, most of the time, if a user is a member of a particular group, they get 
access to all resources locked to this particular group in each of these 
clients. However, we do have use-cases where a user should have access to a 
group-locked resource in client A, but not in client B (while keeping access 
to the more generally available resources in both clients).


This gets complicated fast, and we'd like to ask if there are any best 
practices we could look into and follow?


Right now my thinking is to have client roles related to each of the sets of 
locked-down resources; then a realm-wide composite role getting all of the 
client roles together for easier management of the most common use-case; then 
a group to easily manage users who get the composite realm role (and thus, all 
the client roles).

This way we could manage the most common use-case easily, but if there's a 
user who should have access only to the particular locked-down resources in 
*some* of the clients, we can also grant these more granularly. The actual 
software that authenticates/authorizes against Keycloak would only have to 
look for the client role, and wouldn't have to care about the realm role or 
the group, or anything else.


Does this make sense? Perhaps we're missing some obvious solution, or perhaps 
we're making some wrong assumptions somewhere.

Any suggestions much appreciated!

-- 
Pozdravi,
rashiq

More information about the keycloak-user mailing list