[keycloak-dev] controlling which roles an admin can grant

Stian Thorgersen sthorger at redhat.com
Fri Nov 6 01:32:39 EST 2015 

I don't agree that it's simpler, but I agree with your other points. I'm
not to worried about the simplicity as I assume this won't be used by most
people, only those that need to limit what roles specific admins can grant.

So we need a role to allow granting all roles and a role to manage role
granting permissions?

This further speaks to us introducing role namespaces as then users can
define the role granting permissions roles (hm.. simpler did you say?) in a
separate namespace.

BTW in the future with the authz services hopefully users can define their
own policies for securing the admin endpoints. We'd ship with some default
policies and permissions, then users can change that however they want. The
admin endpoints would just be secured by the authz services, rather than
our bespoke code we use ATM.

On 5 November 2015 at 21:58, Bill Burke <bburke at redhat.com> wrote:

>
>
> On 11/5/2015 1:58 PM, Stian Thorgersen wrote:
>
>> Sounds complex and confusing to me. Also how do you specify how's
>> allowed to manage the role granting permissions?
>>
>>
> My proposal is *simpler* and very explicit.  All this is is assigning
> admin permissions to a role.
>
>
>
> There would be a realm-wide role for admins that are allowed to set up
> role granting permissions.  Just like we have for view-user, etc.  So, the
> master admin sets up the role granting permissions, then assigns role
> granting roles to each subset of "junior" admins.
>
>
> A simpler approach would be to simply require an admin to have a role to
>> be able to grant it to another user. When an admin creates a role they
>> would be given that role as well. You an also composite roles to then
>> achieve the same as you're mentioning above.
>>
>>
> I started with that approach, but I thought it was too implicit and
> confusing.  There will be cases where a user has admin permissions for a
> client, but you don't want to allow them to grant this permission to
> others.  Its like contributors at git hub.  Contributors can merge PRs, but
> they can't grant others contributor access.
>
>
>
>
> On 5 November 2015 at 18:31, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     One of things that we need to be able to do if we have the idea of a
>>     "Group Admin" is to control specifically which role mappings an admin
>> is
>>     allowed to grant.  One of the places this comes up currently is that
>> if
>>     an admin has the "manage-users" role, they can pretty much add any
>>     permission they want to themselves and get access to the whole realm.
>>
>>     IMO, this is something we need now.  It needs to be built into our
>>     admin UI.
>>
>>     So, how could we add the ability to control which roles an admin is
>>     allowed to grant? Under the "Roles" menu option there would be a
>> "Grant
>>     Permissions" tab.  Here, the admin can select a role and specify a
>> list
>>     of roles that can be granted if a user has that role.
>>
>>     Here's an example:
>>
>>     Let's say there are 2 sales applications "reporting" and "analytics".
>>     Each of the apps has defined an "admin" and "user" role. We want to
>> have
>>     a developer manage user access to these systems.
>>
>>     1. Define "Sales Access Control Manager" role.
>>     2. Go into "Roles" menu
>>     3. Go to the "Role Granting Permissions" tab.
>>     4. Select the "Sales Access Control Manager" role
>>     5. Select and add the "reporting.user", "reporting.admin",
>>     "analytics.user", and "analytics.admin" roles to the list of roles a
>>     "Sales Access Control Manager" is allowed to grant.
>>
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151106/c7a1a40a/attachment.html

More information about the keycloak-dev mailing list