User A has Role B in Group C - a user has a role in the context of a group


We’re trying to model a project membership and roles structure in Keycloak.
We attempted to model this as a hierarchy of groups, with a Project group containing sub groups for each project specific role. e.g. Project_A, Project_A_Owner, so that we could model individuals with roles that are only relevant to the specific group context.

Unfortunately we’re in the thousands of groups at this point, and seem to be hitting scalability limits.

On looking at the background, it seems the Keycloak developer community have debated this use case over time:


User has Manager role for Group A


The problem would be that an User may be a PLAYER in a certain team/group but a COACH in a different team/group. I was thinking about creating roles like for example COACH at team1_1 and PLAYER at team_1_2. So during the permission evaulation I could parse this information. Unfortunatelly Keycloak has neither paging query support for Roles nor Groups and therefore this approach currently would not scale as you may generate a few thousand roles.

I’m hoping there has been further work on this, or at least the community have arrived at a common solution, perhaps via an external SPI based integration, or through extending the Keycloak data model, or… fingers crossed…


1 Like

This from later in 2015 is also relevant:

scope roles to your target abstraction

1 Like

Hi @pedroigor @stianst :wave:
I’ve seen earlier posts on this topic in the past (noted above) - if you’ve anything more recent to add it would be great to hear how you’re thinking about this use case today. thanks in advance.

We are trying the same. How did you do it @ndjones ?

Or does anyone know of other activity on this issue?

Best Regards!