2

User-Ankit He is in two groups named flights and hotels. In flights,he is a manager In Hotels,he is a supervisor.

can we assigns these different roles to Ankit in different groups in keycloak?

Siva Thangaraj
  • 214
  • 2
  • 16

1 Answers1

2

I think you have to separate the roles to be specific to the group - you'd need a flights-manager role and a separate hotels-manager role and so on.

You can assign roles to a user or group but assigning roles to a group effectively assigns those roles to all the members of the group. I think this is pretty typical.

When you assign roles to the user, you just assign roles to the user and not a user within a group:

enter image description here

There's a thread in the keycloak mailing list where this comes up. Basically groups are just ways of collecting users and not part of the access control structure.

If hotels and flights correspond to apps then you might want to consider whether you could handle them as clients rather than groups but I think you'd still need to have separate sets of roles.

Ryan Dawson
  • 11,832
  • 5
  • 38
  • 61
  • thank you, but finally is that impossible to have multiple roles for an user in different groups? – Siva Thangaraj Nov 20 '18 at 05:33
  • Can I ask what the motivation is? Are you trying to port an existing app (e.g. using LDAP) to keycloak (e.g. with an LDAP role mapper)? Or is this for a new app? I am wondering what your options are. Either way I think you would have to create distinct roles like flights-manager and hotels-manager. – Ryan Dawson Nov 20 '18 at 09:40
  • i am trying to port an existing app using LDAP to keycloak. – Siva Thangaraj Nov 21 '18 at 09:18
  • Ok then I think you need separate keycloak roles for flights-manager, flights-developer and hotels-manager, hotels-developer. Then the role mapping from ldap needs to distinguish which ldap role to map to a keycloak role based upon ldap group. This could be part of the migration process or maybe done using the role mapping functionality but I think it will require some customisation/coding either way. – Ryan Dawson Nov 21 '18 at 10:44
  • Do also feel free to ask on the keycloak mailing list if you're still unsure. Perhaps someone there will be able to provide an example. – Ryan Dawson Nov 21 '18 at 10:55
  • Thank You.This helped but it will lead to huge number of roles. – Siva Thangaraj Nov 27 '18 at 06:21
  • I realised I should say that if 'manger' is a realm admin role then yours could be a fine-grained access control use-case (though my impression is it probably isn't) - https://stackoverflow.com/a/53600264/9705485 – Ryan Dawson Dec 03 '18 at 19:40