<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, May 26, 2014 at 4:46 PM, Bruno Oliveira <span dir="ltr">&lt;<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On 2014-05-26, Matthias Wessendorf wrote:<br>
&gt; On Mon, May 26, 2014 at 4:20 PM, Bruno Oliveira &lt;<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a>&gt; wrote:<br>
&gt;<br>
&gt; &gt; On 2014-05-26, Matthias Wessendorf wrote:<br>
&gt; &gt; &gt; On Mon, May 26, 2014 at 2:10 PM, Bruno Oliveira &lt;<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a>&gt;<br>
&gt; &gt; wrote:<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; Good morning peeps, after the latest change[1] correct me if I&#39;m<br>
&gt; &gt; wrong. But<br>
&gt; &gt; &gt; &gt; I think KC and UPS will do pretty much what we need.<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; We have a push admin and the super user on KC side enabled. Let me know<br>
&gt; &gt; &gt; &gt; if that is what you need and I will take a look at viewer role.<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; One thing that I noticed: when I login as &#39;admin&#39;, I don&#39;t see the<br>
&gt; &gt; &gt; applications created by &#39;user&#39;<br>
&gt; &gt; &gt; I think with that change, the &#39;admin&#39; is the overall Keycloak-Admin.<br>
&gt; &gt;<br>
&gt; &gt; With the recent changes we have 2 admins:<br>
&gt; &gt;<br>
&gt; &gt; - KC admin<br>
&gt; &gt; - UPS admin<br>
&gt; &gt;<br>
&gt; &gt; I think the UPS admin should have the visibility of all applications<br>
&gt; &gt; created, right? I will look at this.<br>
&gt; &gt;<br>
&gt;<br>
&gt; * super-user: in charge of managing the UPS realm (including users); can<br>
&gt; see _ALL_ push applications  (that&#39;s the &#39;admin&#39; in Sebi&#39;s older gist)<br>
&gt; * PushAdmin: Someone that can manage applications and variants, but is not<br>
&gt; able to add new users; he also sees only his applications/variants etc<br>
&gt; (that&#39;s the &#39;developer&#39; in sebisolder  gist)<br>
<br>
</div>You already said it in the previous e-mail, not necessary to say it<br>
again. I think the point of confusion here is:<br>
<br>
KC admin can&#39;t see your application/variants or whatever you want,<br>
because it doesn&#39;t belong to KC. If you look at<br>
<a href="http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html_single/index.html#d4e311" target="_blank">http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html_single/index.html#d4e311</a>,<br>
you will notice that KC is very good on managing application, but knows<br>
nothing about UPS, which is correct.<br></blockquote><div><br></div><div>yes, that&#39;s correct and makes sense.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<br>
&gt;From my understanding we have 2 admins: KC and UPS. So when you say<br>
super user, I can see into this way:<br>
<br>
- super user: KC admin to manage realms, configurations, revoke clients,<br>
  manage users...etc. 0 visibility of UPS domain, into other words this<br>
  admin can&#39;t manage variants or applications.<br>
<br>
- admin: UPS admin. This user can&#39;t manage realms, configuration, revoke<br>
  clients, manage users...etc. But has full visibility of UPS domain,<br>
  into other words manage variants or applications etc.<br></blockquote><div><br></div><div><br></div><div>Let&#39;s see. We need a KC-Admin to manage the UPS-realm, but just that realm; Since we don&#39;t plan on shipping a &#39;full&#39; Keycloak server, </div>
<div>the option to create new realms etc should be disabled (e.g. according to Stian by removing the AdminRole)</div><div><br></div><div>For UPS, we might need two different roles:</div><div>* Super-User </div><div>* Push-Admin</div>
<div><br></div><div>So, that the Super-User see the all five applications (for instance):</div><div>* two from PushAdmin_1</div><div>* three from PushAdmin_2</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div class=""><br>
<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; &gt;<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; I had a chat w/ Stian in the past, for the above mentioned<br>
&gt; &gt; &gt; &quot;super-user&quot; (which is leveraging the Keycloak realm) Stian and I were<br>
&gt; &gt; &gt; thinking of a &quot;Super User&quot;, that simply has not all permissions. For<br>
&gt; &gt; &gt; instance, it would have:<br>
&gt; &gt; &gt; * AdminRoles.VIEW_USERS<br>
&gt; &gt; &gt; * AdminRoles.MANAGE_USERS<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; But it would not have the &quot;AdminRoles.ADMIN&quot; role. As we don&#39;t need to<br>
&gt; &gt; have<br>
&gt; &gt; &gt; that guy/super-user being able to create realms or other applications,<br>
&gt; &gt; just<br>
&gt; &gt; &gt; the &quot;user access&quot; items.<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; I guess that&#39;s why we did see the &#39;remove()&#39; before<br>
&gt; &gt;<br>
&gt; &gt; I understand the permission scope restriction for KC admin<br>
&gt; &gt; (aka super-user). But if we remove the admin, how could you login to manage<br>
&gt; &gt; users/roles?<br>
&gt; &gt;<br>
&gt;<br>
&gt; The &quot;super-admin&quot; would be still able to manage the realm, but he would be<br>
&gt; no longer a &#39;real&#39; KC admin, by removing the &#39;AdminRoles.ADMIN&#39; role,<br>
&gt; that&#39;s what Stian and I were talking in the past.<br>
&gt; Perhaps he can say a bit more<br>
<br>
</div>Change permissions, I understand. But I don&#39;t understand why we need to<br>
remove the user. Either way I will talk with Stian, thank you.<br></blockquote><div><br></div><div>sounds good</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div class="HOEnZb"><div class="h5"><br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; &gt;<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; -Matthias<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; [1] -<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; <a href="https://github.com/aerogear/aerogear-unifiedpush-server/commit/3e118b1c758493942ef2a00e1541302a03e5519c" target="_blank">https://github.com/aerogear/aerogear-unifiedpush-server/commit/3e118b1c758493942ef2a00e1541302a03e5519c</a><br>

&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; On 2014-05-21, Matthias Wessendorf wrote:<br>
&gt; &gt; &gt; &gt; &gt; Just a thought... regarding those two roles &#39;PushAdmin&#39; and<br>
&gt; &gt; &#39;Super-User&#39;,<br>
&gt; &gt; &gt; &gt; &gt; IMO the Super-user should be able to see all apps (and their<br>
&gt; &gt; variants,<br>
&gt; &gt; &gt; &gt; &gt; including registered devices).<br>
&gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; On Wed, May 21, 2014 at 2:55 PM, Bruno Oliveira &lt;<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a><br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; wrote:<br>
&gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; Thank you Matthias, I will look at it and return back with more<br>
&gt; &gt; &gt; &gt; &gt; &gt; questions if necessary.<br>
&gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; On 2014-05-21, Matthias Wessendorf wrote:<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; Hello,<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; yes - the handling is done by Keycloak itself; Last time we<br>
&gt; &gt; looked at<br>
&gt; &gt; &gt; &gt; &gt; &gt; user<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; management, we had the following in terms of roles:<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; <a href="https://gist.github.com/sebastienblanc/6547605" target="_blank">https://gist.github.com/sebastienblanc/6547605</a><br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; Not sure the names of these roles are great.... let&#39;s see<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; Basically I think the role definition in the gist still addresses<br>
&gt; &gt; &gt; &gt; most of<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; what we want to archive:<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; * super-user: in charge of managing the UPS realm (including<br>
&gt; &gt; users);<br>
&gt; &gt; &gt; &gt; can<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; see _ALL_ push applications  (that&#39;s the admin in Sebi&#39;s gist)<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; * PushAdmin: Someone that can manage applications and variants,<br>
&gt; &gt; but<br>
&gt; &gt; &gt; &gt; is<br>
&gt; &gt; &gt; &gt; &gt; &gt; not<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; able to add new users; he also sees only his<br>
&gt; &gt; applications/variants<br>
&gt; &gt; &gt; &gt; etc<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; (that&#39;s the developer in sebis gist)<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; The gist also contains a &#39;Viewer&#39; role - At this point I am not<br>
&gt; &gt; sure<br>
&gt; &gt; &gt; &gt; we<br>
&gt; &gt; &gt; &gt; &gt; &gt; do<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; really need this. My impression is that if we have PushAdmins<br>
&gt; &gt; for our<br>
&gt; &gt; &gt; &gt; &gt; &gt; 1.0.0<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; community release that will be enough.<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; -Matthias<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; On Tue, May 20, 2014 at 10:02 PM, Bruno Oliveira &lt;<br>
&gt; &gt; &gt; &gt; <a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a><br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt;wrote:<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; Good morning peeps,<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; Before I jump in <a href="https://issues.jboss.org/browse/AGPUSH-639" target="_blank">https://issues.jboss.org/browse/AGPUSH-639</a>. I<br>
&gt; &gt; &gt; &gt; would<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; like to understand what do you guys want say with this issue.<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; Currently Keycloak already has its own user/roles managements.<br>
&gt; &gt; &gt; &gt; What do<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; you guys are looking for? Any specific requirements?<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; --<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; abstractj<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; _______________________________________________<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; aerogear-dev mailing list<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; --<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; Matthias Wessendorf<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a><br>
&gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; _______________________________________________<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; aerogear-dev mailing list<br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
&gt; &gt; &gt; &gt; &gt; &gt; &gt; <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
&gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; --<br>
&gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; &gt; abstractj<br>
&gt; &gt; &gt; &gt; &gt; &gt; _______________________________________________<br>
&gt; &gt; &gt; &gt; &gt; &gt; aerogear-dev mailing list<br>
&gt; &gt; &gt; &gt; &gt; &gt; <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
&gt; &gt; &gt; &gt; &gt; &gt; <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
&gt; &gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; --<br>
&gt; &gt; &gt; &gt; &gt; Matthias Wessendorf<br>
&gt; &gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
&gt; &gt; &gt; &gt; &gt; sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
&gt; &gt; &gt; &gt; &gt; twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a><br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; _______________________________________________<br>
&gt; &gt; &gt; &gt; &gt; aerogear-dev mailing list<br>
&gt; &gt; &gt; &gt; &gt; <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
&gt; &gt; &gt; &gt; &gt; <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; --<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; abstractj<br>
&gt; &gt; &gt; &gt; _______________________________________________<br>
&gt; &gt; &gt; &gt; aerogear-dev mailing list<br>
&gt; &gt; &gt; &gt; <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
&gt; &gt; &gt; &gt; <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; --<br>
&gt; &gt; &gt; Matthias Wessendorf<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
&gt; &gt; &gt; sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
&gt; &gt; &gt; twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a><br>
&gt; &gt;<br>
&gt; &gt; &gt; _______________________________________________<br>
&gt; &gt; &gt; aerogear-dev mailing list<br>
&gt; &gt; &gt; <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
&gt; &gt; &gt; <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &gt; --<br>
&gt; &gt;<br>
&gt; &gt; abstractj<br>
&gt; &gt; _______________________________________________<br>
&gt; &gt; aerogear-dev mailing list<br>
&gt; &gt; <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
&gt; &gt; <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
&gt; &gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; --<br>
&gt; Matthias Wessendorf<br>
&gt;<br>
&gt; blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
&gt; sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
&gt; twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a><br>
<br>
&gt; _______________________________________________<br>
&gt; aerogear-dev mailing list<br>
&gt; <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
&gt; <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
<br>
<br>
--<br>
<br>
abstractj<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div>