23 lines
1.4 KiB
Text
23 lines
1.4 KiB
Text
|
= Roles
|
||
|
|
||
|
In Keycloak, roles can be defined globally at the realm level, or individually per application.
|
||
|
Each role has a name which must be unique at the level it is defined in, i.e.
|
||
|
you can have only one "admin" role at the realm level.
|
||
|
You may have that a role named "admin" within an Application too, but "admin" must be unique for that application.
|
||
|
|
||
|
The description of a role is displayed in the OAuth Grant page when Keycloak is processing a browser OAuth Grant request.
|
||
|
Look for more features being added here in the future like internationalization and other fine grain options.
|
||
|
|
||
|
== Composite Roles
|
||
|
|
||
|
Any realm or application level role can be turned into a Composite Role.
|
||
|
A Composite Role is a role that has one or more additional roles associated with it.
|
||
|
I guess another term for it could be Role Group.
|
||
|
When a composite role is mapped to the user, the user gains the permission of that role, plus any other role the composite is associated with.
|
||
|
This association is dynamic.
|
||
|
So, if you add or remove an associated role from the composite, then all users that are mapped to the composite role will automatically have those permissions added or removed.
|
||
|
Composites can also be used to define Client scopes.
|
||
|
|
||
|
Composite roles can be associated with any type of role Realm or Application.
|
||
|
In the admin console simple flip the composite switch in the Role detail, and you will get a screen that will allow you to associate roles with the composite.
|