[keycloak-dev] Hide internal clients and roles

Stian Thorgersen stian at redhat.com
Wed Jun 10 13:25:11 EDT 2015 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 10 June, 2015 4:39:11 PM
> Subject: Re: [keycloak-dev] Hide internal clients and roles
> 
> 
> 
> On 6/10/2015 10:15 AM, Stian Thorgersen wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Wednesday, 10 June, 2015 4:08:16 PM
> >> Subject: Re: [keycloak-dev] Hide internal clients and roles
> >>
> >> I think security-admin-console and realm-management should be merged in
> >> non-Master realms.  In master realm, rename everything to
> >> <realm>-security-admin-console.  Finally, an internal role or client
> >> would not be able to be deleted.
> >>
> >> I don't think you should hide any roles ever.  I don't see why you would
> >> want to.  I do think you should make internal clients and roles
> >> unremovable.
> >
> > Hiding the internal realm roles would enable a "blank slate" page on the
> > realm roles list. Alternatively, and I actually think this is a better
> > idea, is to make the admin and create-realm roles roles of the
> > master-security-admin-console realm rather than realm roles. In that case
> > all we need is "internal" clients and an option to view/hide them on the
> > clients list.
> >
> 
> Do you like the idea of merging security-admin-console and realm-management?
> 
> +1 to moving "admin" and "create-realm" to master-security-admin-console.

Yep, I think that's cleaner. Maybe just call it 'realm-admin-master'?

> 
> The "blank slate" page could be displayed if there is no *non*
> internal-clients/roles.  There could be a button or link on the Blank
> Slate page "View built-in clients" along with "create client".  I don't
> know if it is better to have a "hide built-in clients" checkbox on the
> client list page, or to just show them by default.
> 
> > Which one is it btw "an internal role or client would not be able to be
> > deleted" or "I do think you should make internal clients and roles
> > unremovable"?
> 
> Sorry, I repeated myself without realizing.  internal things should not
> be deletable or removable, right?

Hehe, I read one wrongly so I thought you where saying they should not be able to delete and at the same time they should be removable.

I agree - it should not be possible to delete internal stuff.

What about we add an attribute to internal clients so we can show that they are internal in the client list. Also, we know when to display the clean slate if there's only internal clients. We can also use the internal attribute to limit options that can be changed for such clients.

> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the keycloak-dev mailing list