[keycloak-dev] controlling which roles an admin can grant

Bill Burke bburke at redhat.com
Thu Nov 5 15:58:16 EST 2015



On 11/5/2015 1:58 PM, Stian Thorgersen wrote:
> Sounds complex and confusing to me. Also how do you specify how's
> allowed to manage the role granting permissions?
>

My proposal is *simpler* and very explicit.  All this is is assigning 
admin permissions to a role.



There would be a realm-wide role for admins that are allowed to set up 
role granting permissions.  Just like we have for view-user, etc.  So, 
the master admin sets up the role granting permissions, then assigns 
role granting roles to each subset of "junior" admins.


> A simpler approach would be to simply require an admin to have a role to
> be able to grant it to another user. When an admin creates a role they
> would be given that role as well. You an also composite roles to then
> achieve the same as you're mentioning above.
>

I started with that approach, but I thought it was too implicit and 
confusing.  There will be cases where a user has admin permissions for a 
client, but you don't want to allow them to grant this permission to 
others.  Its like contributors at git hub.  Contributors can merge PRs, 
but they can't grant others contributor access.




> On 5 November 2015 at 18:31, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     One of things that we need to be able to do if we have the idea of a
>     "Group Admin" is to control specifically which role mappings an admin is
>     allowed to grant.  One of the places this comes up currently is that if
>     an admin has the "manage-users" role, they can pretty much add any
>     permission they want to themselves and get access to the whole realm.
>
>     IMO, this is something we need now.  It needs to be built into our
>     admin UI.
>
>     So, how could we add the ability to control which roles an admin is
>     allowed to grant? Under the "Roles" menu option there would be a "Grant
>     Permissions" tab.  Here, the admin can select a role and specify a list
>     of roles that can be granted if a user has that role.
>
>     Here's an example:
>
>     Let's say there are 2 sales applications "reporting" and "analytics".
>     Each of the apps has defined an "admin" and "user" role. We want to have
>     a developer manage user access to these systems.
>
>     1. Define "Sales Access Control Manager" role.
>     2. Go into "Roles" menu
>     3. Go to the "Role Granting Permissions" tab.
>     4. Select the "Sales Access Control Manager" role
>     5. Select and add the "reporting.user", "reporting.admin",
>     "analytics.user", and "analytics.admin" roles to the list of roles a
>     "Sales Access Control Manager" is allowed to grant.
>


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list