[keycloak-user] Keycloak Roles and Usergroups

Max Bruchmann max.bruchmann at hotmail.com
Thu Jul 19 10:37:05 EDT 2018 

Hi Dmitry,

do you know if there is any way to retrieve the group context of a role?

My use case would be that I have multiple sport clubs (group) with 
multiple teams (subgroup)

-club1

--team1_1

--team1_2

-club2

--team2_1

--team2_1


I have for example the role COACH but of course this role makes only 
sense in context of the team.

As far as I understand keycloak this is currently not possible


Kind Regards,

Max


Am 10.07.18 um 14:58 schrieb Dmitry Telegin:
> Hi Vinay,
>
>  From my experience, I'd tell that:
> - roles are more likely to reflect person's functions in the
> organization;
> - groups are more likely to reflect organizational structure.
>
> For example, if there are offices and departments (like "NY Office",
> "IT Department"), that would normally map to nested groups.
>
> On the other hand, business functions would rather map to roles (like
> "managers", "developers", "sysadmins" etc.)
>
> There's also a number of technical differences:
> - akin to nested groups, there are composite roles. However, the logic
> is different: if you grant a composite role to a user, every child role
> would be granted, too (which is not true for groups);
> - you can assign a role to a group (not vice versa);
> - by default, Keycloak adapters can restrict access based on roles
> only. If you want to use groups for the same, you'll need to turn on
> authorization services and create corresponding policies.
>
> Could you please elaborate on your particular use case? If you describe
> it briefly, I think we'll be able decide what's better for you.
>
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Mon, 2018-07-09 at 12:39 -0400, Vinay wrote:
>> What is a difference between keycloak roles and usergroups ? are they
>> interchangeable i.e. can we use roles instead of groups or vice versa
>> to
>> address a problem ? Is it possible to have roles within roles, just
>> like
>> groups ?
>> A clear guidelines on how to use groups and roles will help.
>>
>> thanks
>> /Vinay
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list