<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, May 26, 2014 at 4:20 PM, Bruno Oliveira <span dir="ltr"><<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="">On 2014-05-26, Matthias Wessendorf wrote:<br>
> On Mon, May 26, 2014 at 2:10 PM, Bruno Oliveira <<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a>> wrote:<br>
><br>
> ><br>
> > Good morning peeps, after the latest change[1] correct me if I'm wrong. But<br>
> > I think KC and UPS will do pretty much what we need.<br>
> ><br>
> > We have a push admin and the super user on KC side enabled. Let me know<br>
> > if that is what you need and I will take a look at viewer role.<br>
> ><br>
><br>
> One thing that I noticed: when I login as 'admin', I don't see the<br>
> applications created by 'user'<br>
> I think with that change, the 'admin' is the overall Keycloak-Admin.<br>
<br>
</div>With the recent changes we have 2 admins:<br>
<br>
- KC admin<br>
- UPS admin<br>
<br>
I think the UPS admin should have the visibility of all applications<br>
created, right? I will look at this.<br></blockquote><div><br></div><div><div style="font-family:arial,sans-serif;font-size:13px">* super-user: in charge of managing the UPS realm (including users); can see _ALL_ push applications (that's the 'admin' in Sebi's older gist)</div>
<div style="font-family:arial,sans-serif;font-size:13px">* PushAdmin: Someone that can manage applications and variants, but is not able to add new users; he also sees only his applications/variants etc (that's the 'developer' in sebisolder gist)</div>
</div><div><br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class=""><br>
><br>
><br>
> I had a chat w/ Stian in the past, for the above mentioned<br>
> "super-user" (which is leveraging the Keycloak realm) Stian and I were<br>
> thinking of a "Super User", that simply has not all permissions. For<br>
> instance, it would have:<br>
> * AdminRoles.VIEW_USERS<br>
> * AdminRoles.MANAGE_USERS<br>
><br>
> But it would not have the "AdminRoles.ADMIN" role. As we don't need to have<br>
> that guy/super-user being able to create realms or other applications, just<br>
> the "user access" items.<br>
><br>
> I guess that's why we did see the 'remove()' before<br>
<br>
</div>I understand the permission scope restriction for KC admin<br>
(aka super-user). But if we remove the admin, how could you login to manage<br>
users/roles?<br></blockquote><div><br></div><div>The "super-admin" would be still able to manage the realm, but he would be no longer a 'real' KC admin, by removing the 'AdminRoles.ADMIN' role, that's what Stian and I were talking in the past.</div>
<div>Perhaps he can say a bit more</div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class=""><div class="h5"><br>
><br>
> -Matthias<br>
><br>
><br>
><br>
><br>
> ><br>
> ><br>
> > [1] -<br>
> ><br>
> > <a href="https://github.com/aerogear/aerogear-unifiedpush-server/commit/3e118b1c758493942ef2a00e1541302a03e5519c" target="_blank">https://github.com/aerogear/aerogear-unifiedpush-server/commit/3e118b1c758493942ef2a00e1541302a03e5519c</a><br>
> ><br>
> ><br>
> > On 2014-05-21, Matthias Wessendorf wrote:<br>
> > > Just a thought... regarding those two roles 'PushAdmin' and 'Super-User',<br>
> > > IMO the Super-user should be able to see all apps (and their variants,<br>
> > > including registered devices).<br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > > On Wed, May 21, 2014 at 2:55 PM, Bruno Oliveira <<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a>><br>
> > wrote:<br>
> > ><br>
> > > > Thank you Matthias, I will look at it and return back with more<br>
> > > > questions if necessary.<br>
> > > ><br>
> > > > On 2014-05-21, Matthias Wessendorf wrote:<br>
> > > > > Hello,<br>
> > > > ><br>
> > > > > yes - the handling is done by Keycloak itself; Last time we looked at<br>
> > > > user<br>
> > > > > management, we had the following in terms of roles:<br>
> > > > ><br>
> > > > > <a href="https://gist.github.com/sebastienblanc/6547605" target="_blank">https://gist.github.com/sebastienblanc/6547605</a><br>
> > > > ><br>
> > > > > Not sure the names of these roles are great.... let's see<br>
> > > > ><br>
> > > > > Basically I think the role definition in the gist still addresses<br>
> > most of<br>
> > > > > what we want to archive:<br>
> > > > > * super-user: in charge of managing the UPS realm (including users);<br>
> > can<br>
> > > > > see _ALL_ push applications (that's the admin in Sebi's gist)<br>
> > > > > * PushAdmin: Someone that can manage applications and variants, but<br>
> > is<br>
> > > > not<br>
> > > > > able to add new users; he also sees only his applications/variants<br>
> > etc<br>
> > > > > (that's the developer in sebis gist)<br>
> > > > ><br>
> > > > > The gist also contains a 'Viewer' role - At this point I am not sure<br>
> > we<br>
> > > > do<br>
> > > > > really need this. My impression is that if we have PushAdmins for our<br>
> > > > 1.0.0<br>
> > > > > community release that will be enough.<br>
> > > > ><br>
> > > > > -Matthias<br>
> > > > ><br>
> > > > ><br>
> > > > ><br>
> > > > ><br>
> > > > > On Tue, May 20, 2014 at 10:02 PM, Bruno Oliveira <<br>
> > <a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a><br>
> > > > >wrote:<br>
> > > > ><br>
> > > > > > Good morning peeps,<br>
> > > > > ><br>
> > > > > > Before I jump in <a href="https://issues.jboss.org/browse/AGPUSH-639" target="_blank">https://issues.jboss.org/browse/AGPUSH-639</a>. I<br>
> > would<br>
> > > > > > like to understand what do you guys want say with this issue.<br>
> > > > > ><br>
> > > > > > Currently Keycloak already has its own user/roles managements.<br>
> > What do<br>
> > > > > > you guys are looking for? Any specific requirements?<br>
> > > > > ><br>
> > > > > > --<br>
> > > > > ><br>
> > > > > > abstractj<br>
> > > > > > _______________________________________________<br>
> > > > > > aerogear-dev mailing list<br>
> > > > > > <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
> > > > > > <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
> > > > > ><br>
> > > > ><br>
> > > > ><br>
> > > > ><br>
> > > > > --<br>
> > > > > Matthias Wessendorf<br>
> > > > ><br>
> > > > > blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
> > > > > sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
> > > > > twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a><br>
> > > ><br>
> > > > > _______________________________________________<br>
> > > > > aerogear-dev mailing list<br>
> > > > > <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
> > > > > <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
> > > ><br>
> > > ><br>
> > > > --<br>
> > > ><br>
> > > > abstractj<br>
> > > > _______________________________________________<br>
> > > > aerogear-dev mailing list<br>
> > > > <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
> > > > <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
> > > ><br>
> > ><br>
> > ><br>
> > ><br>
> > > --<br>
> > > Matthias Wessendorf<br>
> > ><br>
> > > blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
> > > sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
> > > twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a><br>
> ><br>
> > > _______________________________________________<br>
> > > aerogear-dev mailing list<br>
> > > <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
> > > <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
> ><br>
> ><br>
> > --<br>
> ><br>
> > abstractj<br>
> > _______________________________________________<br>
> > aerogear-dev mailing list<br>
> > <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
> > <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
> ><br>
><br>
><br>
><br>
> --<br>
> Matthias Wessendorf<br>
><br>
> blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
> sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
> twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a><br>
<br>
> _______________________________________________<br>
> aerogear-dev mailing list<br>
> <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
<br>
<br>
--<br>
<br>
abstractj<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div>