30 lines
1.7 KiB
Text
30 lines
1.7 KiB
Text
|
= Groups
|
||
|
|
||
|
Groups in Keycloak allow you to manage a common set of attributes and role mappings for a large set of users.
|
||
|
Users can be members of zero or more groups.
|
||
|
Users inherit the attributes and role mappings assign to each group.
|
||
|
As an admin this makes it easy for you to manage permissions for a user in one place.
|
||
|
|
||
|
Groups are hierarchical.
|
||
|
A group can have many subgroups, but a group can only have one parent.
|
||
|
Subgroups inherit the attributes and role mappings from the parent.
|
||
|
This applies to user as well.
|
||
|
So, if you have a parent group and a child group and a user that only belongs to the child group, the user inherits the attributes and role mappings of both the parent and child.
|
||
|
|
||
|
== Groups vs. Roles
|
||
|
|
||
|
In the IT world the concepts of Group and Role are often blurred and interchangeable.
|
||
|
In Keycloak, Groups are just a collection of users that you can apply roles and attributes to in one place.
|
||
|
Roles are used to assign permissions and access control.
|
||
|
|
||
|
Keycloak Roles have the concept of a Composite Role.
|
||
|
A role can be associated with one or more additional roles.
|
||
|
This is called a Composite Role.
|
||
|
If a user has a role mapping to the Composite Role, they inherit all the roles associated with the composite.
|
||
|
So what's the difference from a Keycloak Group and a Composite Role? Logically they could be used for the same exact thing.
|
||
|
The difference is conceptual.
|
||
|
Composite roles should be used to compose the permission model of your set of services and applications.
|
||
|
So, roles become a set of permissions.
|
||
|
Groups on the other hand, would be a set of users that have a set of permissions.
|
||
|
Use Groups to manage users, composite roles to manage applications and services.
|