<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>At the end of the day any customer data is at the tip of a finger of an admin or other people who can see all they want with an sql statement or even easier sometimes. I've seen a big bank who had this feature implemented on their online banking website and it's been validated by all the security audits out there and it was really helpful.</div><div><br></div><div>Is there is a nice way to get this done with Keycloak ? </div><div><br></div><div>Anyone has an idea !</div><div><br><br></div><div><br>On 17 Oct 2014, at 20:36, Stan Silvert <<a href="mailto:ssilvert@redhat.com">ssilvert@redhat.com</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<div class="moz-cite-prefix">On 10/17/2014 1:53 PM, Alexander
Chriztopher wrote:<br>
</div>
<blockquote cite="mid:8DA49644-C7A6-4EB2-B568-0853908DEF40@gmail.com" type="cite">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div>This is not an issue in our context as it is just to secure
an application where admins are publishing data to users and
they would like to make sure they are publishing the right thing
and nothing more which otherwise would be a big security hole.
Users on the other hand will upload documents for admins. </div>
<div><br>
</div>
<div>There is nothing as such as bank accounts issues or private
data issues as you mentioned.<br>
</div>
</blockquote>
I understand. But Keycloak is also used by applications where those
issues do exist. <br>
<blockquote cite="mid:8DA49644-C7A6-4EB2-B568-0853908DEF40@gmail.com" type="cite">
<div><br>
<br>
</div>
<div><br>
On 17 Oct 2014, at 19:07, Stan Silvert <<a moz-do-not-send="true" href="mailto:ssilvert@redhat.com">ssilvert@redhat.com</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<div class="moz-cite-prefix">I see how that would be very
useful but it would also be very, very dangerous. You can't
give the admin rights to just waltz into someone's bank
account.<br>
<br>
At the very least we would need a way for the user to give
consent.<br>
<br>
On 10/17/2014 11:00 AM, Alexander Chriztopher wrote:<br>
</div>
<blockquote cite="mid:CAJfT+OrXOH-0MUs-W0TUTMU=-Fq5eGJ4z+3MFaWC8PS4yDs7Eg@mail.gmail.com" type="cite">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>I would like to know if there is a way to let a
connected user -an admin- reconnect as another user
-with less privilegies- without providing a password.</div>
<div><br>
</div>
<div>The idea is to be able for a super user to see how
exactly an application behaves with another user without
knowing that user credentials.</div>
<div><br>
</div>
<div>Thanks for any help.</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>keycloak-user mailing list</span><br>
<span><a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></span><br>
<span><a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></span></div>
</blockquote>
</blockquote>
<br>
</div></blockquote></body></html>