Best Practices For User and Group Management

Hello everyone,

Our company is just getting started with Keycloak / RedHat SSO. We are working through our architectural design and trying to determine the best way to use the product to solve our various IAM needs.

We are wondering, are there general best practices to follow when managing user or group data? Specifically we are curious if there are best practices for:

• The type of data that is typically stored in user attributes
• The type of data that is typically stored in group attributes
• How groups and group hierarchies are typically used

Our users are typically members of company "groups" which can be made up of parent companies or groups sometimes. We are thinking RH SSO's group functionality would be a good fit to store this kind of company level hierarchy and data. Identifiable data like the company's name and their address can be stored in attributes and the relationship between companies can be managed via hierarchies.

Normally we would not store this type of company data in our IAM solution. However, because we bill companies for their subscription to our product, we are hoping to use a combination of groups and roles to determine if a user has an active subscription for a particular product and thus are authorized to access that product. The actual management of billing would of course be managed by a completely separate system.

I realize this topic is highly subjective. However,, I am hoping to get a feel from the community on how groups and user data are typically used within RH SSO.

Any input, best practices, or lessons learned would be extremely beneficial to us.

Thank you for your time!
.