[keycloak-user] Keycloak Roles and Usergroups

Dmitry Telegin dt at acutus.pro
Wed Jul 25 19:58:24 EDT 2018


Hi Max,

What about user attributes?

No matter which team/group the Coach is in, you can go to User > Attributes, and add a multivalued attribute describing teams/groups this coach should have access to. (The values should be separated with ##)

After that, you'll be able (hopefully :) to use this info in a JavaScript policy for permission evaulation.

Cheers,
Dmitry

On Wed, 2018-07-25 at 09:06 +0000, Max Bruchmann wrote:
> Hi Dmitry,
> 
> thank you for your reply
> 
> > Keycloak, roles are not related to groups (however a group can reference roles to be automatically assigned to group members).
> 
> Yes I just was not sure if I overlooked something here.
> 
> Regarding the fine grained approach. The problem would be that an User may be a PLAYER in a certain team/group but a COACH in a different team/group.
> 
> > > I was thinking about creating roles like for example COACH at team1_1 and PLAYER at team_1_2. So during the permission evaulation I could parse this information.
> 
> Unfortunatelly Keycloak has neither paging query support for Roles nor Groups and therefore this approach currently would not scale as you may generate a few thousand roles.
> 
> My current idea is that I handle this hierachical role concept in a custom application and just use keycloak for authentication and global role management
> 
> 
> Kind Regards,
> Max
> 
> Am 23.07.18 um 03:18 schrieb Dmitry Telegin:
> > Hi Max,
> > 
> > On Thu, 2018-07-19 at 14:37 +0000, Max Bruchmann wrote:
> > > Hi Dmitry,
> > > 
> > > do you know if there is any way to retrieve the group context of a
> > > role?
> > 
> > Could you please elaborate on the "group context of a role"? In
> > Keycloak, roles are not related to groups (however a group can
> > reference roles to be automatically assigned to group members).
> > 
> > > My use case would be that I have multiple sport clubs (group) with
> > > multiple teams (subgroup)
> > > 
> > > -club1
> > > 
> > > --team1_1
> > > 
> > > --team1_2
> > > 
> > > -club2
> > > 
> > > --team2_1
> > > 
> > > --team2_1
> > > 
> > > 
> > > I have for example the role COACH but of course this role makes only
> > > sense in context of the team.
> > 
> > I agree with that, but what's the (bigger) problem you're trying to
> > solve?
> > 
> > I'd imagine that you want to grant coaches some privileged access to the players' data; the coach should manage only the team he is assigned to. If that's what you're trying to do, I'd suggest the following:
> > 
> > - create the "coach" role;
> > - grant this role to all coaches;
> > - put your coaches into the corresponding groups (teams);
> > - use fine-grained permissions to implement access rules (grant access to the players' data if the requester has the "coach" role and belongs to the same group as the player).
> > 
> > Hope it helps,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > > As far as I understand keycloak this is currently not possible
> > > 
> > > 
> > > Kind Regards,
> > > 
> > > Max
> > > 
> > > 
> > > Am 10.07.18 um 14:58 schrieb Dmitry Telegin:
> > > > Hi Vinay,
> > > > 
> > > >   From my experience, I'd tell that:
> > > > - roles are more likely to reflect person's functions in the
> > > > organization;
> > > > - groups are more likely to reflect organizational structure.
> > > > 
> > > > For example, if there are offices and departments (like "NY
> > > > Office",
> > > > "IT Department"), that would normally map to nested groups.
> > > > 
> > > > On the other hand, business functions would rather map to roles
> > > > (like
> > > > "managers", "developers", "sysadmins" etc.)
> > > > 
> > > > There's also a number of technical differences:
> > > > - akin to nested groups, there are composite roles. However, the
> > > > logic
> > > > is different: if you grant a composite role to a user, every child
> > > > role
> > > > would be granted, too (which is not true for groups);
> > > > - you can assign a role to a group (not vice versa);
> > > > - by default, Keycloak adapters can restrict access based on roles
> > > > only. If you want to use groups for the same, you'll need to turn
> > > > on
> > > > authorization services and create corresponding policies.
> > > > 
> > > > Could you please elaborate on your particular use case? If you
> > > > describe
> > > > it briefly, I think we'll be able decide what's better for you.
> > > > 
> > > > Dmitry Telegin
> > > > CTO, Acutus s.r.o.
> > > > Keycloak Consulting and Training
> > > > 
> > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > > +42 (022) 888-30-71
> > > > E-mail: info at acutus.pro
> > > > 
> > > > On Mon, 2018-07-09 at 12:39 -0400, Vinay wrote:
> > > > > What is a difference between keycloak roles and usergroups ? are
> > > > > they
> > > > > interchangeable i.e. can we use roles instead of groups or vice
> > > > > versa
> > > > > to
> > > > > address a problem ? Is it possible to have roles within roles,
> > > > > just
> > > > > like
> > > > > groups ?
> > > > > A clear guidelines on how to use groups and roles will help.
> > > > > 
> > > > > thanks
> > > > > /Vinay
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 


More information about the keycloak-user mailing list