<div dir="ltr">Added this comment to the previous thread, but copy/pasting here:<div><br></div><div><span style="font-size:12.8px">I was thinking a bit more about trust between realms and I think that should be limited to authentication only. An admin with certain roles in one realm shouldn't necessarily have the same roles in another realm. So I think we need either a user that can exist in multiple realms or utilize identity brokering to get "linked" users. I'm worried if we allow roles from one realm to give admin permissions in another it will be hard to get a full picture of who has access to the realm. It may also give unintentional permissions. Also, if we introduce admins that can only manage a "group" of users or roles that specify what roles an admin can grant that would require users in the specific realm to manage. </span><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 4 December 2015 at 17:23, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">To establish trust between realms I was thinking about a simple table:<br>
<br>
realm|trusted-realm|role<br>
<br>
Here's some example records:<br>
<br>
test-realm|master|manage-clients<br>
test-realm|master|view-users<br>
<br>
means<br>
<br>
"test-realm" trusts the "master" realm, but they can only<br>
"manage-clients" and "view-users"<br>
<br>
The "role" column would just be the name of the realm, not an id and<br>
would reference the "realm-management" client roles (which will be moved<br>
to security-admin-console client).<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</font></span></blockquote></div><br></div>