[keycloak-dev] restricted admin console access
bburke at redhat.com
Wed May 10 18:07:07 EDT 2017
I'm thinking of adding additional admin roles: "admin-console-users",
"admin-console-groups", "admin-console-clients" and a composite of all
three: "admin-console-access". These roles exist solely for the admin
console and determine whether or not the "Users", "Clients", or "Groups"
menu items show up. It is unfeasible to calculate this considering that
a restricted admin may have access to only one client in the admin
console or a specific set of users in a specific group.
Alternatively, I could just display the "Users', "Clients" and "Groups"
menu item no matter what role mappings or permissions the restricted
admin has. Then when they click on that menu item, query results are
filtered based on individual permissions. I like the latter better
because its a better user experience. For example, if a restricted
admin can only manage one client and nothing else, the admin console
could bring the admin directly to that client's management page.
More information about the keycloak-dev