<div dir="ltr"><div>Sounds complex and confusing to me. Also how do you specify how's allowed to manage the role granting permissions?</div><div><br></div>A simpler approach would be to simply require an admin to have a role to be able to grant it to another user. When an admin creates a role they would be given that role as well. You an also composite roles to then achieve the same as you're mentioning above.</div><div class="gmail_extra"><br><div class="gmail_quote">On 5 November 2015 at 18:31, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">One of things that we need to be able to do if we have the idea of a<br>
"Group Admin" is to control specifically which role mappings an admin is<br>
allowed to grant. One of the places this comes up currently is that if<br>
an admin has the "manage-users" role, they can pretty much add any<br>
permission they want to themselves and get access to the whole realm.<br>
<br>
IMO, this is something we need now. It needs to be built into our admin UI.<br>
<br>
So, how could we add the ability to control which roles an admin is<br>
allowed to grant? Under the "Roles" menu option there would be a "Grant<br>
Permissions" tab. Here, the admin can select a role and specify a list<br>
of roles that can be granted if a user has that role.<br>
<br>
Here's an example:<br>
<br>
Let's say there are 2 sales applications "reporting" and "analytics".<br>
Each of the apps has defined an "admin" and "user" role. We want to have<br>
a developer manage user access to these systems.<br>
<br>
1. Define "Sales Access Control Manager" role.<br>
2. Go into "Roles" menu<br>
3. Go to the "Role Granting Permissions" tab.<br>
4. Select the "Sales Access Control Manager" role<br>
5. Select and add the "reporting.user", "reporting.admin",<br>
"analytics.user", and "analytics.admin" roles to the list of roles a<br>
"Sales Access Control Manager" is allowed to grant.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</font></span></blockquote></div><br></div>