Applying bold and other changes to merge roles and groups topics.
This commit is contained in:
Andy Munro
Marek Posolda
parent
83a8648b74
commit
bbc00004fc
12 changed files with 67 additions and 66 deletions
17
server_admin/topics/roles-groups.adoc
Normal file
17
server_admin/topics/roles-groups.adoc
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
== Assigning permissions and access using roles and groups
|
||||
|
||||
Roles and groups have a similar purpose, which is to give users access and permissions to use applications. Groups are a collection of users to which you apply roles and attributes. Roles define specific applications permissions and access control. Groups are an optional capability.
|
||||
|
||||
A role typically applies to one type of user. Typical roles in an organization include `Admin`, `user`, `manager`, and `employee`. An application can assign access and permissions to a role and then assign multiple users to that role so the users share the same access and permissions. For example, the Admin Console has roles that give permission to users to access parts of the Admin Console.
|
||||
|
||||
There is a global namespace for roles and each client also has its own dedicated namespace where roles can be defined.
|
||||
|
||||
include::roles-groups/proc-creating-realm-roles.adoc[]
|
||||
include::roles-groups/con-client-roles.adoc[]
|
||||
include::roles-groups/proc-converting-composite-roles.adoc[]
|
||||
include::roles-groups/proc-assigning-role-mappings.adoc[]
|
||||
include::roles-groups/con-default-roles.adoc[]
|
||||
include::roles-groups/con-role-scope-mappings.adoc[]
|
||||
include::roles-groups/proc-managing-groups.adoc[]
|
||||
include::roles-groups/con-comparing-groups-roles.adoc[]
|
||||
include::roles-groups/proc-specifying-default-groups.adoc[]
|
||||
|
|
@ -2,4 +2,4 @@
|
|||
|
||||
=== Client Roles
|
||||
[role="_abstract"]
|
||||
Client roles are namespaces dedicated to clients. Each client gets its own namespace. Client roles are managed under the `Roles` tab for each client. You interact with this UI the same way you do for realm-level roles.
|
||||
Client roles are namespaces dedicated to clients. Each client gets its own namespace. Client roles are managed under the *Roles* tab for each client. You interact with this UI the same way you do for realm-level roles.
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
[id="con-comparing-groups-roles_{context}"]
|
||||
|
||||
==== Groups vs. Roles
|
||||
==== Groups compared to Roles
|
||||
[role="_abstract"]
|
||||
Groups and roles have some similarities and differences. In {project_name}, groups are a collection of users to apply roles and attributes. Roles define types of users and applications assign permissions and access control to roles.
|
||||
|
||||
|
|
@ -5,9 +5,7 @@
|
|||
[role="_abstract"]
|
||||
Default roles allow you to automatically assign user role mappings when any user is newly created or imported through
|
||||
<<_identity_broker, Identity Brokering>>.
|
||||
To specify default roles go to the `Roles` left menu item, and click the `Default Roles` tab or alternatively you can
|
||||
search for `default-roles-${realmName}` role in the `Realm Roles` tab and then click Edit. Please note the `default-roles-${realmName}`
|
||||
role cannot be removed because it serves as a container for both realm and client default roles.
|
||||
To specify default roles go to the *Roles* left menu item, and click the *Default Roles* tab.
|
||||
|
||||
.Default Roles
|
||||
image:{project_images}/default-roles.png[]
|
||||
|
|
@ -8,12 +8,12 @@ On creation of an OIDC access token or SAML assertion, the user role mappings be
|
|||
|
||||
_Role Scope Mappings_ limit the roles declared inside an access token. When a client requests a user authentication, the access token they receive contains only the role mappings that are explicitly specified for the client's scope. The result is that you limit the permissions of each individual access token instead of giving the client access to all the users permissions.
|
||||
|
||||
By default, each client gets all the role mappings of the user. You can view the role mappings in the `Scope` tab of each client.
|
||||
By default, each client gets all the role mappings of the user. You can view the role mappings in the *Scope* tab of each client.
|
||||
|
||||
.Full Scope
|
||||
image:{project_images}/full-client-scope.png[]
|
||||
|
||||
By default, the effective roles of scopes are every declared role in the realm. To change this default behavior, set the `Full Scope Allowed` switch to ON and declare the specific roles you want in each client. You can also use <<_client_scopes, client scopes>> to define the same role scope mappings for a set of clients.
|
||||
By default, the effective roles of scopes are every declared role in the realm. To change this default behavior, set the *Full Scope Allowed* switch to ON and declare the specific roles you want in each client. You can also use <<_client_scopes, client scopes>> to define the same role scope mappings for a set of clients.
|
||||
|
||||
.Partial Scope
|
||||
image:{project_images}/client-scope.png[]
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
[id="proc-assigning-role-mappings_{context}"]
|
||||
|
||||
=== User Role Mappings
|
||||
[role="_abstract"]
|
||||
You can assign User role mappings to a user through the *Role Mappings* tab for that user.
|
||||
|
||||
.Procedure
|
||||
. Click *Users* in the left menu.
|
||||
. Click the user that you want to perform a role mapping on. If the user is not displayed, click *View all users*.
|
||||
. Click the *Role Mappings* tab.
|
||||
. Click the role you want to assign to the user in the *Available Roles* box.
|
||||
. Click *Add selected*.
|
||||
|
||||
.Role Mappings
|
||||
image:{project_images}/user-role-mappings.png[]
|
||||
|
||||
In the above example, we are assigning the composite role *developer* that was created in the <<_composite-roles, Composite Roles>> chapter to a user.
|
||||
|
||||
.Effective Role Mappings
|
||||
image:{project_images}/effective-role-mappings.png[]
|
||||
|
||||
When the *developer* role is assigned, the *employee* role associated with the *developer* composite is displayed in the *Effective Roles* box. *Effective Roles* are the roles explicitly assigned to users and roles that are inherited from composites.
|
||||
|
|
@ -8,16 +8,16 @@ Any realm or client level role can be a _composite role_. A _composite role_ is
|
|||
|
||||
To convert a role to a composite role:
|
||||
|
||||
. Click `Roles` in the left menu.
|
||||
. Click *Roles* in the left menu.
|
||||
. Click the role to access the roles detail page.
|
||||
. Set `Composite Roles` to ON.
|
||||
. Set *Composite Roles* to ON.
|
||||
|
||||
.Composite Role
|
||||
image:{project_images}/composite-role.png[]
|
||||
|
||||
The role selection UI is displayed on the page and you can associate realm level and client level roles to the composite role you are creating.
|
||||
|
||||
In this example, the `employee` realm-level role is associated with the `developer` composite role. Any user with the `developer` role also inherits the `employee` role.
|
||||
In this example, the *employee* realm-level role is associated with the *developer* composite role. Any user with the *developer* role also inherits the *employee* role.
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
=== Realm Roles
|
||||
[role="_abstract"]
|
||||
Realm-level roles are a namespace for defining your roles. To see the list of roles, click `Roles` in the left menu.
|
||||
Realm-level roles are a namespace for defining your roles. To see the list of roles, click *Roles* in the left menu.
|
||||
|
||||
image:{project_images}/roles.png[]
|
||||
|
||||
|
|
@ -10,11 +10,11 @@ To create a role:
|
|||
|
||||
.Procedure
|
||||
. Click *Add Role*.
|
||||
. Enter a `Role Name`.
|
||||
. Enter a `Description`.
|
||||
. Enter a *Role Name*.
|
||||
. Enter a *Description*.
|
||||
. Click *Save*.
|
||||
|
||||
.Add Role
|
||||
image:{project_images}/role.png[]
|
||||
|
||||
The `description` field can be localizable by specifying a substitution variable with `$\{var-name}` strings. The localized value is configured to your theme within the themes property files. See the vlink:{developerguide_link}[{developerguide_name}] for more details.
|
||||
The *description* field can be localizable by specifying a substitution variable with `$\{var-name}` strings. The localized value is configured to your theme within the themes property files. See the vlink:{developerguide_link}[{developerguide_name}] for more details.
|
||||
|
|
@ -3,7 +3,7 @@
|
|||
[role="_abstract"]
|
||||
Groups in {project_name} manage a common set of attributes and role mappings for each user. Users can be members of any number of groups and inherit the attributes and role mappings assigned to each group.
|
||||
|
||||
To manage groups, click `Groups` in the left menu.
|
||||
To manage groups, click *Groups* in the left menu.
|
||||
|
||||
.Groups
|
||||
image:{project_images}/groups.png[]
|
||||
|
|
@ -12,15 +12,15 @@ Groups are hierarchical. A group can have multiple subgroups but a group can hav
|
|||
|
||||
If you have a parent group and a child group, and a user that belongs only to the child group, the user in the child group inherits the attributes and role mappings of both the parent group and the child group.
|
||||
|
||||
The following example includes a top-level `Sales` group and a child `North America` subgroup.
|
||||
The following example includes a top-level *Sales* group and a child *North America* subgroup.
|
||||
|
||||
To add a group:
|
||||
|
||||
. Click the group.
|
||||
. Click `New`.
|
||||
. Select the `Groups` icon in the tree to make a top-level group.
|
||||
. Enter a group name in the `Create Group` screen.
|
||||
. Click `Save`. The group management page displays.
|
||||
. Click *New*.
|
||||
. Select the *Groups* icon in the tree to make a top-level group.
|
||||
. Enter a group name in the *Create Group* screen.
|
||||
. Click *Save*. The group management page displays.
|
||||
+
|
||||
.Group
|
||||
image:{project_images}/group.png[]
|
||||
|
|
@ -29,22 +29,22 @@ Attributes and role mappings you define are inherited by the groups and users th
|
|||
|
||||
To add a user to a group:
|
||||
|
||||
. Click `Users` in the left menu.
|
||||
. Click the user that you want to perform a role mapping on. If the user is not displayed, click `View all users`.
|
||||
. Click `Groups`.
|
||||
. Click *Users* in the left menu.
|
||||
. Click the user that you want to perform a role mapping on. If the user is not displayed, click *View all users*.
|
||||
. Click *Groups*.
|
||||
+
|
||||
.User Groups
|
||||
image:{project_images}/user-groups.png[]
|
||||
+
|
||||
. Select a group from the `Available Groups` tree.
|
||||
. Click `Join`.
|
||||
. Select a group from the *Available Groups* tree.
|
||||
. Click *Join*.
|
||||
|
||||
To remove a group from a user:
|
||||
|
||||
. Select the group from the `Group Membership` tree.
|
||||
. Click `Leave`.
|
||||
. Select the group from the *Group Membership* tree.
|
||||
. Click *Leave*.
|
||||
|
||||
In this example, the user _jimlincoln_ is in the _North America_ group. You can see _jimlincoln_ displayed under the `Members` tab for the group.
|
||||
In this example, the user _jimlincoln_ is in the _North America_ group. You can see _jimlincoln_ displayed under the *Members* tab for the group.
|
||||
|
||||
.Group Membership
|
||||
image:{project_images}/group-membership.png[]
|
||||
|
|
@ -6,8 +6,8 @@ To automatically assign group membership to new users, that are created or impor
|
|||
|
||||
To specify default groups:
|
||||
|
||||
. Click `Groups` in the left menu.
|
||||
. Click the `Default Groups` tab.
|
||||
. Click *Groups* in the left menu.
|
||||
. Click the *Default Groups* tab.
|
||||
|
||||
.Default Groups
|
||||
image:{project_images}/default-groups.png[]
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
== Roles and Groups
|
||||
A role typically applies to one type of user. Typical roles in an organization include `Admin`, `user`, `manager`, and `employee`. An application can assign access and permissions to a role and then assign multiple users to that role so the users share the same access and permissions. For example, the Admin Console has roles that give permission to users to access parts of the Admin Console.
|
||||
|
||||
There is a global namespace for roles and each client also has its own dedicated namespace where roles can be defined.
|
||||
|
||||
include::roles/proc-creating-realm-roles.adoc[]
|
||||
include::roles/con-client-roles.adoc[]
|
||||
include::roles/proc-converting-composite-roles.adoc[]
|
||||
include::roles/proc-assigning-role-mappings.adoc[]
|
||||
include::roles/con-default-roles.adoc[]
|
||||
include::roles/con-role-scope-mappings.adoc[]
|
||||
include::roles/proc-managing-groups.adoc[]
|
||||
include::roles/con-comparing-groups-roles.adoc[]
|
||||
include::roles/proc-specifying-default-groups.adoc[]
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
[id="proc-assigning-role-mappings_{context}"]
|
||||
|
||||
=== User Role Mappings
|
||||
[role="_abstract"]
|
||||
You can assign User role mappings to a user through the `Role Mappings` tab for that user.
|
||||
|
||||
.Procedure
|
||||
. Click `Users` in the left menu.
|
||||
. Click the user that you want to perform a role mapping on. If the user is not displayed, click `View all users`.
|
||||
. Click the `Role Mappings` tab.
|
||||
. Click the role you want to assign to the user in the `Available Roles` box.
|
||||
. Click `Add selected`.
|
||||
|
||||
.Role Mappings
|
||||
image:{project_images}/user-role-mappings.png[]
|
||||
|
||||
In the above example, we are assigning the composite role `developer` that was created in the <<_composite-roles, Composite Roles>> chapter to a user.
|
||||
|
||||
.Effective Role Mappings
|
||||
image:{project_images}/effective-role-mappings.png[]
|
||||
|
||||
When the `developer` role is assigned, the `employee` role associated with the `developer` composite is displayed in the `Effective Roles` box. `Effective Roles` are the roles explicitly assigned to users and roles that are inherited from composites.
|
||||
Loading…
Reference in a new issue