[keycloak-user] Client roles for 'security-admin-console' application are not fine grained enough

[Valerij Timofeev]

Hi,

after reading the ticket KEYCLOAK-528 I've encountered two other issues in
the "security-admin-console" application (tested on RH SSO 7.0.0):

1) As soon as a realm user gets the 'manage-users' role, he can manage
"User federation" settings and even delete it. This can result in
unintentional removal of all users linked with the user federation provider
and thus affect potentially millions of users.

2) Users having 'view-users' role can view "User Federation". "Delete"
button is visible as well although it does not work finally.

IMO "User federation" should be covered by the realm management roles
instead.

Additionally the provided roles for the 'realm-management' client are not
fine grained enough IMO. One role per REST method would be ideal and, I
suppose, simplier to consider in the Keycloak Admin API.

The "security-admin-console" application without fine grained roles exposes
too much risk in real life scenarios and so makes it unusable. One use case
in mind: prevent deletion of any kind for Helpdesk employees e.g. managing
users. Having dedicated roles for DELETE operation would make such task
possible.

Kind regards
Valerij Timofeev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160722/f4da7c6a/attachment.html