[keycloak-user] Multi Tenancy in one realm / roles with group context
Max Bruchmann
maxbruchmann at gmail.com
Sun Aug 27 17:40:35 EDT 2017
Hi,
I'm currently evaluating Keycloak for my usecase. We have a hierarchical
multi-tenant application (sport clubs and teams ).
As we have users that work in multiple clubs the multiple realm scenario is
not feasible for our application.
There are users that may have roles like "club-admin" for certain club or
"team-admin" for a certain team
To evaluate permission if a user can do something on a certain team like
"modifying a team" or "create a training session" I would need to set the
role of a club/team-admin into context of the club or team.
When I understand it correctly the roles that are assigned by a group a
user belongs are global, meaning if try to figure out if a user can modify
a certain team, the resolved roles will not reflect in which team an user
maybe a trainer-admin.
Therefore to achieve some rules like this I could encode the club/team
context in the roles name like "club-admin at 123" or team "team-admin at 987".
Is this a scalable approach or is there better solution for this?
More information about the keycloak-user
mailing list