[keycloak-user] Keycloak Roles and Usergroups

Dmitry Telegin dt at acutus.pro
Tue Jul 10 08:58:08 EDT 2018


Hi Vinay,

>From my experience, I'd tell that:
- roles are more likely to reflect person's functions in the
organization;
- groups are more likely to reflect organizational structure.

For example, if there are offices and departments (like "NY Office",
"IT Department"), that would normally map to nested groups.

On the other hand, business functions would rather map to roles (like
"managers", "developers", "sysadmins" etc.)

There's also a number of technical differences:
- akin to nested groups, there are composite roles. However, the logic
is different: if you grant a composite role to a user, every child role
would be granted, too (which is not true for groups);
- you can assign a role to a group (not vice versa);
- by default, Keycloak adapters can restrict access based on roles
only. If you want to use groups for the same, you'll need to turn on
authorization services and create corresponding policies.

Could you please elaborate on your particular use case? If you describe
it briefly, I think we'll be able decide what's better for you.

Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-07-09 at 12:39 -0400, Vinay wrote:
> What is a difference between keycloak roles and usergroups ? are they
> interchangeable i.e. can we use roles instead of groups or vice versa
> to
> address a problem ? Is it possible to have roles within roles, just
> like
> groups ?
> A clear guidelines on how to use groups and roles will help.
> 
> thanks
> /Vinay
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list