[keycloak-dev] restricted admin console access

Bill Burke bburke at redhat.com
Wed May 10 18:07:07 EDT 2017

I'm thinking of adding additional admin roles: "admin-console-users", 
"admin-console-groups", "admin-console-clients" and a composite of all 
three: "admin-console-access".  These roles exist solely for the admin 
console and determine whether or not the "Users", "Clients", or "Groups" 
menu items show up.  It is unfeasible to calculate this considering that 
a restricted admin may have access to only one client in the admin 
console or a specific set of users in a specific group.

Alternatively, I could just display the "Users', "Clients" and "Groups" 
menu item no matter what role mappings or permissions the restricted 
admin has.  Then when they click on that menu item, query results are 
filtered based on individual permissions.  I like the latter better 
because its a better user experience.  For example, if a restricted 
admin can only manage one client and nothing else, the admin console 
could bring the admin directly to that client's management page.

More information about the keycloak-dev mailing list