[keycloak-dev] user group admins

Bill Burke bburke at redhat.com
Thu Nov 5 12:31:00 EST 2015


A few users have been asking about the ability to limit the admin to 
managing a set of users in a group.

I know Pedro is doing permission work, but IMO, this type of thing needs 
to be integrated and natural to the Keycloak UI as it would be a 
fundamental feature.

Here's a proposal though based on my layout of User Groups in a previous 
email.

Group Admins need to be able to:
* Manage group membership
* Manage users within a group to do things like reset credentials and 
other user management actions.
* Grant roles to users within a group
* Add attributes to the group
* Grant roles to the group

So, if each User Group had its own Role Namespace, we could define one 
or more roles that grant each of those permissions.  i.e. 
"group-membership-admin", "group-user-admin", "group-admin".  If a User 
Gruop has its own Role Namespace, it becomes really easy to compose 
adminstrative access.  So you could define individual "admin groups" and 
grant users in those groups permission to manage one more groups.

If groups don't have their own Role Namespace, you need a way to 
associate a role to each group admin permission.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list