Open slifty opened 1 day ago
I just looked at the latest Keycloak docs. Lo and behold, version 26 has something we might like: Organizations.
In my comment in #1093 I am glad I explicitly linked to the particular minor version of Keycloak I was referring to because that version (one of the versions starting with 25) did not have Organizations.
Off the cuff, a design comes to mind:
id
which should be a UUID
.The net effect of this should be that we can delegate group and user management to Keycloak almost entirely while allowing users in PDC to mark permissions on objects at either a user or group level (where the group is identical with a Keycloak Organization).
In #1093 @bickelj asked some questions about using Keycloak for managing permissions and didn't really get a direct answer (sorry Jesse, there were enough moving parts / trying to scope out the core use cases)!
Right now I'm just about finished with the MVP of our permissions based on which will involve a roles table, but it would be reasonable to take a moment to reflect on what a Keycloak-based granular permissions system would look like and what the benefits / negatives would be.