[keycloak-user] Scope based roles

Stadin, Benjamin Benjamin.Stadin at heidelberg-mobil.com
Tue Oct 18 17:33:32 EDT 2016 

Hi,

I want to keep my roles and permissions simple, but I have some specific requirements and I’m struggling to map these to Keycloak groups or roles. For an example, I need to assign users to predefined roles based on their current „location“. Instead of describing the actual roles of my portal, I’ll use a student portal to give an example of what I’m looking for. It should be more self-explanatory.

Think of a student portal where there is a „global“ area where students can see the courses they are enrolled in, and „course“ areas for each of the courses with course material etc:

  *   Students can sign in to the student portal with their student id. They can see their courses on the „global“ page, but not others.
  *   Students can’t create courses, but they can be administrators within selected courses (think of tutors which get another role assigned by a course’s professor)
  *   Professors can see all courses, and create new ones. They can enroll students into courses and assign them a specific role for this course (e.g. tutor, guest, „normal student“).
  *   Professors have no permissions to courses they don’t own

Roles and permissions.
As mentioned above, there are two scopes global and course. A user has one role at a time, depending on his/her current location.

  *   GLOBAL_PROFESSOR: This is the role a professor has on the global scope. Here she/he can create new courses, and administer (create, delete, open, close) his own courses. Has otherwise no permissions for courses of other professors.
  *   COURSE_PROFSSOR: This is the role a professor has on the course scope. Here she/he has admin rights, can assign course roles to students etc. as explained above.
  *   GLOBAL_STUDENT: The role a student has on the global scope. Here she/he can see courses, but can’t do much else.
  *   COURSE_STUDENT: The role a student has within the scope of a particular course. E.g. See all course materials, upload new stuff, post messages in a course forum, etc.
  *   COURSE_TUTOR: Same as student, plus they can e.g. Enroll students to the course, delete assets of other students of this course, etc.
  *   COURSE_GUEST: Can view course content, but can’t upload files or do much else but view and download stuff

I could create groups for each of the courses and each role – but that is actually what I’d rather want to avoid for maintenance reasons and simplicity.

What group and role definition model would you suggest me with Keycloak?

Cheers
Ben

More information about the keycloak-user mailing list