search

p2-inc / keycloak-orgs

Single realm, multi-tenancy for SaaS apps
https://phasetwo.io
Other
406 stars 72 forks source link

FR: extend default roles by api #82

Closed paulwer closed 1 year ago

paulwer commented 1 year ago

Is there currently a way to extend the default roles of organizations by custom roles, which then are applied by default for all organizations?

Usage: we had ressources, which are connected to organizations and want to manage access within the organizations without writing a programm which checks any org, if the neccessary roles are defined. ex. view-ressources-name, manage-ressources-name

xgp commented 1 year ago

Without an example, I'm not sure what you're suggesting. Today, an OrganizationRole is associated with an Organization. There are defaults when you create an Organization that pertain to permissions within the role (e.g. view-organiztion, manage-organization, etc.), and OrganizationRoles are not shared across Organizations.

We put together a proposal for de-coupling that, so that OrganizationRoles are independent of Organizations: https://github.com/p2-inc/keycloak-orgs/issues/48 Is that what you're looking for? If not, share an example scenario.

paulwer commented 1 year ago

Unbenannt

Organizations has definded and default roles. default roles (my observation) gets created on organization-creation and cannot be deleted. They are used for rbac within org-use-cases. defined-roles can be created within each org-individualy. Our "wish" is, that we can administrate additional default-roles, which can be used within all organizations independently.

Our current workflow-plan is to create a service, which checks and define these additional roles, as needed.

xgp commented 1 year ago

Thank you for explaining further. There is not currently a way to do this. For our own applications, we do this at organization creation, as you suggest in your workplan.

The proposal I linked to above would be to move all roles to a default, "rather" than making them part of a specific organization. In the prototype of that proposal, we have done the migration in a way such that any roles you define in "all" organizations would become defaults. Beyond that, it's not yet decided if/how we would deal with roles that are part of only specific organizations.

xgp commented 1 year ago

Closing in favor of https://github.com/p2-inc/keycloak-orgs/issues/48

Please comment there.