Design the Group/Tenant Feature #9

Closed
opened 2025-04-22 23:36:11 +00:00 by abed.alrahman · 1 comment
Member

Ref epic: #13

Goal: Design a robust and flexible system for representing and managing multi-user groups (which can function as organizations or tenants) within Keycloak.

Description:
This ticket will design the group feature, which allows multiple accounts to be grouped into one organization or tenant. The ticket should produce a document about the design with Keycloak, for example, which field will be used, what the format of the data structures is, etc.

What needs to be designed:

Keycloak Representation:
    Evaluate and recommend the best Keycloak feature for representing groups/tenants (e.g., Keycloak Groups, Attributes, Realms, Roles). Keycloak Groups (/groups) are strongly recommended as standard practice.
    Define how group hierarchy (if needed) will be handled.
Group Metadata:
    Specify what information defines a group (e.g., unique name, display name, description, owner/admin reference).
    Define where this metadata will be stored (e.g., using Keycloak Group Attributes). Specify attribute names and formats.
Membership Management:
    Detail how users become members of groups (standard Keycloak group membership APIs/UI).
Roles Within Groups:
    Design how roles specific to a group context (e.g., "admin" of Tenant A, "member" of Tenant A) will be represented. Options include sub-groups, composite roles, or group attributes. Recommend the most scalable approach.
Administration Model:
    Define who can create/manage groups and memberships (e.g., system admins via Keycloak console/API, designated group admins via custom APIs).
    Specify how admin privileges for groups are stored and checked.
API Interaction:
    Document the relevant Keycloak Admin REST API endpoints for managing groups, attributes, memberships, and roles based on the chosen design.
System Integration:
    Explain how group membership information will be retrieved and potentially propagated to other services (e.g., included in the X-User-Groups header injected by auth-service).

Deliverables:

A Design Document detailing the chosen model for groups/tenants in Keycloak, including data structures (attributes), role representation, administration model, relevant Keycloak APIs, and integration strategy.
Ref epic: [#13](https://git.cleverthis.com/clevermicro/user-management/issues/13) Goal: Design a robust and flexible system for representing and managing multi-user groups (which can function as organizations or tenants) within Keycloak. Description: This ticket will design the group feature, which allows multiple accounts to be grouped into one organization or tenant. The ticket should produce a document about the design with Keycloak, for example, which field will be used, what the format of the data structures is, etc. What needs to be designed: Keycloak Representation: Evaluate and recommend the best Keycloak feature for representing groups/tenants (e.g., Keycloak Groups, Attributes, Realms, Roles). Keycloak Groups (/groups) are strongly recommended as standard practice. Define how group hierarchy (if needed) will be handled. Group Metadata: Specify what information defines a group (e.g., unique name, display name, description, owner/admin reference). Define where this metadata will be stored (e.g., using Keycloak Group Attributes). Specify attribute names and formats. Membership Management: Detail how users become members of groups (standard Keycloak group membership APIs/UI). Roles Within Groups: Design how roles specific to a group context (e.g., "admin" of Tenant A, "member" of Tenant A) will be represented. Options include sub-groups, composite roles, or group attributes. Recommend the most scalable approach. Administration Model: Define who can create/manage groups and memberships (e.g., system admins via Keycloak console/API, designated group admins via custom APIs). Specify how admin privileges for groups are stored and checked. API Interaction: Document the relevant Keycloak Admin REST API endpoints for managing groups, attributes, memberships, and roles based on the chosen design. System Integration: Explain how group membership information will be retrieved and potentially propagated to other services (e.g., included in the X-User-Groups header injected by auth-service). Deliverables: A Design Document detailing the chosen model for groups/tenants in Keycloak, including data structures (attributes), role representation, administration model, relevant Keycloak APIs, and integration strategy.
stanislav.hejny added this to the V.01 milestone 2025-05-06 18:52:47 +00:00
Author
Member
https://docs.cleverthis.com/en/architecture/microservices/feature-discussion/group-design
Sign in to join this conversation.
No milestone
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Reference: clevermicro/user-management#9
No description provided.