[keycloak-user] Keycloak Roles and Usergroups

Max Bruchmann max.bruchmann at hotmail.com
Wed Jul 25 05:06:35 EDT 2018 

Hi Dmitry,

thank you for your reply

> Keycloak, roles are not related to groups (however a group can reference roles to be automatically assigned to group members).

Yes I just was not sure if I overlooked something here.

Regarding the fine grained approach. The problem would be that an User may be a PLAYER in a certain team/group but a COACH in a different team/group.

I was thinking about creating roles like for example COACH at team1_1 and PLAYER at team_1_2. So during the permission evaulation I could parse this information.

Unfortunatelly Keycloak has neither paging query support for Roles nor Groups and therefore this approach currently would not scale as you may generate a few thousand roles.

My current idea is that I handle this hierachical role concept in a custom application and just use keycloak for authentication and global role management


Kind Regards,
Max

Am 23.07.18 um 03:18 schrieb Dmitry Telegin:
> Hi Max,
>
> On Thu, 2018-07-19 at 14:37 +0000, Max Bruchmann wrote:
>> Hi Dmitry,
>>
>> do you know if there is any way to retrieve the group context of a
>> role?
> Could you please elaborate on the "group context of a role"? In
> Keycloak, roles are not related to groups (however a group can
> reference roles to be automatically assigned to group members).
>
>> My use case would be that I have multiple sport clubs (group) with
>> multiple teams (subgroup)
>>
>> -club1
>>
>> --team1_1
>>
>> --team1_2
>>
>> -club2
>>
>> --team2_1
>>
>> --team2_1
>>
>>
>> I have for example the role COACH but of course this role makes only
>> sense in context of the team.
> I agree with that, but what's the (bigger) problem you're trying to
> solve?
>
> I'd imagine that you want to grant coaches some privileged access to the players' data; the coach should manage only the team he is assigned to. If that's what you're trying to do, I'd suggest the following:
>
> - create the "coach" role;
> - grant this role to all coaches;
> - put your coaches into the corresponding groups (teams);
> - use fine-grained permissions to implement access rules (grant access to the players' data if the requester has the "coach" role and belongs to the same group as the player).
>
> Hope it helps,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
>> As far as I understand keycloak this is currently not possible
>>
>>
>> Kind Regards,
>>
>> Max
>>
>>
>> Am 10.07.18 um 14:58 schrieb Dmitry Telegin:
>>> Hi Vinay,
>>>
>>>   From my experience, I'd tell that:
>>> - roles are more likely to reflect person's functions in the
>>> organization;
>>> - groups are more likely to reflect organizational structure.
>>>
>>> For example, if there are offices and departments (like "NY
>>> Office",
>>> "IT Department"), that would normally map to nested groups.
>>>
>>> On the other hand, business functions would rather map to roles
>>> (like
>>> "managers", "developers", "sysadmins" etc.)
>>>
>>> There's also a number of technical differences:
>>> - akin to nested groups, there are composite roles. However, the
>>> logic
>>> is different: if you grant a composite role to a user, every child
>>> role
>>> would be granted, too (which is not true for groups);
>>> - you can assign a role to a group (not vice versa);
>>> - by default, Keycloak adapters can restrict access based on roles
>>> only. If you want to use groups for the same, you'll need to turn
>>> on
>>> authorization services and create corresponding policies.
>>>
>>> Could you please elaborate on your particular use case? If you
>>> describe
>>> it briefly, I think we'll be able decide what's better for you.
>>>
>>> Dmitry Telegin
>>> CTO, Acutus s.r.o.
>>> Keycloak Consulting and Training
>>>
>>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>>> +42 (022) 888-30-71
>>> E-mail: info at acutus.pro
>>>
>>> On Mon, 2018-07-09 at 12:39 -0400, Vinay wrote:
>>>> What is a difference between keycloak roles and usergroups ? are
>>>> they
>>>> interchangeable i.e. can we use roles instead of groups or vice
>>>> versa
>>>> to
>>>> address a problem ? Is it possible to have roles within roles,
>>>> just
>>>> like
>>>> groups ?
>>>> A clear guidelines on how to use groups and roles will help.
>>>>
>>>> thanks
>>>> /Vinay
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list