[keycloak-dev] Restrict admins to only allow granting roles they are privileged to

Marek Posolda mposolda at redhat.com
Wed Mar 25 07:27:24 EDT 2015 

+1 for the simple fix, however I agree that more flexibility might be 
needed.

We may need some more fine grained authorization. For example user is 
authorized to manage application "app1" but not application "app2" 
(currently user with "manage-applications" role can manage any 
application). Similarly I may want some user to grant/revoke other users 
all application roles of particular application etc.

I wonder if we should add the concept of "permission" ? Basically 
permission would consist of action and target object (could support 
wildcards). Permissions are given to roles. For example current role 
"manage-applications" will have permissions like this:
- create-applications
- update-applications: *
- remove-application: *

So member of this role can CRUD any application.

Now when users from role "myapp1/foo-role" should be able to 
grant/revoke this role to other users, the permission given to the 
foo-role will be:
- grant-role: "myapp1", "foo-role"

When users from role "myapp1/bar-role" should be able to grant/revoke 
all roles from application "myapp1" to other users, the permission will be:
- grant-role: "myapp1", "*"

The tricky part is to have the permission model flexible enough, but not 
be too complex at the same time;-)
Maybe it should be driven mainly by real use-cases from community?

Marek

On 25.3.2015 06:49, Stian Thorgersen wrote:
> I propose we add a check when an admin wants to grant a role. For a admin to be allowed to grant a role the admin either has to have the admin/realm-admin role or have the role itself. This prevents admins from adding more privileges to themselves than they already have and would also be a way to allow admins that can only manage roles for specific applications.
>
> This should be a simple fix. In the future I think we may need to re-design how we map permissions for Keycloak. I'm really not that happy with the realm apps and such, it's messy and not flexible enough.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list