2015-07-17 11:45:43 +00:00
|
|
|
<chapter id="roles">
|
|
|
|
|
<title>Roles</title>
|
|
|
|
|
<para>
|
2015-11-20 21:18:42 +00:00
|
|
|
In Keycloak, roles can be defined globally at the realm level, or individually per application.
|
2015-07-17 11:45:43 +00:00
|
|
|
Each role has a name which must be unique at the level it is defined in, i.e. you can have only one "admin" role at
|
|
|
|
|
the realm level. You may have that a role named "admin" within an Application too, but "admin" must be unique
|
|
|
|
|
for that application.
|
|
|
|
|
</para>
|
|
|
|
|
<para>
|
|
|
|
|
The description of a role is displayed in the OAuth Grant page when Keycloak is processing a browser OAuth
|
|
|
|
|
Grant request. Look for more features being added here in the future like internationalization and other fine
|
|
|
|
|
grain options.
|
|
|
|
|
</para>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>Composite Roles</title>
|
|
|
|
|
<para>
|
|
|
|
|
Any realm or application level role can be turned into a Composite Role. A Composite Role is a role that has
|
|
|
|
|
one or more additional roles associated with it. I guess another term for it could be Role Group.
|
|
|
|
|
When a composite role is mapped to the user, the user gains the permission of that role, plus any other role the
|
|
|
|
|
composite is associated with. This association is dynamic. So, if you add or remove an associated role from
|
|
|
|
|
the composite, then all users that are mapped to the composite role will automatically have those permissions
|
|
|
|
|
added or removed. Composites can also be used to define Client scopes.
|
|
|
|
|
</para>
|
|
|
|
|
<para>
|
|
|
|
|
Composite roles can be associated with any type of role Realm or Application. In the admin console simple
|
|
|
|
|
flip the composite switch in the Role detail, and you will get a screen that will allow you to associate roles
|
|
|
|
|
with the composite.
|
|
|
|
|
</para>
|
|
|
|
|
</section>
|
2014-02-14 16:30:56 +00:00
|
|
|
</chapter>
|
