Efficient management of roles through groups

suchona.kani.z · Post by **suchona.kani.z** » Sun Jan 26, 2025 5:53 am

You can now control authorization through roles. These can be assigned to a type or category of user (for example, sales employees). There are basically three types of roles:

1. Realm Role: a global role that is available in every client and can be assigned to any user.

2. Client Role: a role that is only available in a specific client and is not accessible from other clients.

3. Composite Roles: One or more other roles are linked to a composite role. Users always have the linked roles of a composite role to which they are assigned.

General permissions are suitable as realm roles, and more fine-grained permissions that are used exclusively by the individual clients are suitable as client roles. Figure 2 shows an example overview of possible realm roles.

Figure 2: Overview of the realm roles. The roles “offline_access” and “uma_authorization” are present by default.
Figure 2: Overview of the realm roles. The roles “offline_access” and “uma_authorization” are present by default.

Securing a resource through roles
You can now use the defined roles directly to secure your frontend luxembourg consumer email list and backend services. Applications based on HTML5/Javascript can easily integrate Keycloak's functions using a JavaScript adapter. With this adapter, you can display individual areas of your application using conditional rendering with the following method, for example:

realm: 'Meine-anwendung',
clientId: 'meine-anwendung-webapp'
});
return keycloak.hasRealmRole(roleName);
}

Securing bean classes and methods in Java is similarly easy. Access can be restricted or permitted using annotations:

import javax.annotation.security.*;
@RolesAllowed("administrator")
public class Ressource {
@RolesAllowed("entwickler")
public void exampleMethod() {
//...
}
@PermitAll
public Object getExampleRessource() {
//...
}
}

It is often possible to define groups of users with multiple access rights, for example according to the structure of a company. You can create these as groups in Keycloak and assign roles to them. You can then assign users to any number of groups. The advantage of this is that you do not have to assign your roles to users individually, thus saving you the hassle of maintenance (although it is also possible to assign roles to users individually). Figure 3 shows an example of the role overview for a "Manager" group.