<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:13px"><div id="yui_3_16_0_1_1427157836505_2799" dir="ltr">+1. Glad that you are willing to pitch in. May I request that an API be provided to add users to this role dynamically?</div><div id="yui_3_16_0_1_1427157836505_2807" dir="ltr"><br></div><div id="yui_3_16_0_1_1427157836505_2808" dir="ltr">Regards,</div><div id="yui_3_16_0_1_1427157836505_2809" dir="ltr">Raghu<br></div><div id="yui_3_16_0_1_1427157836505_2723" style="font-family: times new roman, new york, times, serif; font-size: 13px;"> <div id="yui_3_16_0_1_1427157836505_2722" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1427157836505_2721" dir="ltr"> <hr size="1" id="yui_3_16_0_1_1427157836505_2720"> <font id="yui_3_16_0_1_1427157836505_2745" face="Arial" size="2"> <b><span style="font-weight: bold;">From:</span></b> Alex Gouvêa Vasconcelos <alexgv99@gmail.com><br> <b><span style="font-weight: bold;">To:</span></b> Bill Burke <bburke@redhat.com> <br><b><span style="font-weight: bold;">Cc:</span></b> "keycloak-user@lists.jboss.org" <keycloak-user@lists.jboss.org>; Thiago Addevico Presa <thiago.addevico@gmail.com> <br> <b><span style="font-weight: bold;">Sent:</span></b> Monday, March 23, 2015 4:31 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [keycloak-user] Application Management<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_1_1427157836505_2746"><br><div id="yiv2665067204"><div id="yui_3_16_0_1_1427157836505_2749"><div id="yui_3_16_0_1_1427157836505_2748" dir="ltr"><div class="yiv2665067204gmail_default" id="yui_3_16_0_1_1427157836505_2747" style="color: rgb(7, 55, 99); font-family: verdana, sans-serif; font-size: small;">We found a Jira about the same issue we talked about [1]. We are available to help implementing that feature, but we barely know about the keycloak implementation. </div><div class="yiv2665067204gmail_default" id="yui_3_16_0_1_1427157836505_2750" style="color: rgb(7, 55, 99); font-family: verdana, sans-serif; font-size: small;"><br clear="none"></div><div class="yiv2665067204gmail_default" id="yui_3_16_0_1_1427157836505_2817" style="color: rgb(7, 55, 99); font-family: verdana, sans-serif; font-size: small;">Our current idea is to create the app-admin role when the application is created in the realm. We would display a widget in the Application > <app name> > Roles > <role name> screen to allow the app-admin to assign the given role to users.</div><div class="yiv2665067204gmail_default" id="yui_3_16_0_1_1427157836505_2751" style="color: rgb(7, 55, 99); font-family: verdana, sans-serif; font-size: small;"><br clear="none"></div><div class="yiv2665067204gmail_default" id="yui_3_16_0_1_1427157836505_2818" style="color: rgb(7, 55, 99); font-family: verdana, sans-serif; font-size: small;">As for the schema, we're not sure how to store the "app-admin" information. We provisionally thought about a boolean field stating whether the role is the admin role of the app associated, but input here would be very welcome.</div><div class="yiv2665067204gmail_default" id="yui_3_16_0_1_1427157836505_2819" style="color: rgb(7, 55, 99); font-family: verdana, sans-serif; font-size: small;"><br clear="none"></div><div class="yiv2665067204gmail_default" id="yui_3_16_0_1_1427157836505_2820" style="color: rgb(7, 55, 99); font-family: verdana, sans-serif; font-size: small;">In short, if someone could provide some guidance on this sort of issues, we're more than happy to provide some code.</div><div class="yiv2665067204gmail_default" style="color: rgb(7, 55, 99); font-family: verdana, sans-serif; font-size: small;"><br clear="none"></div><div class="yiv2665067204gmail_default" style="color: rgb(7, 55, 99); font-family: verdana, sans-serif; font-size: small;"><br clear="none"></div><div class="yiv2665067204gmail_default" style="color: rgb(7, 55, 99); font-family: verdana, sans-serif; font-size: small;"><br clear="none"></div><div class="yiv2665067204gmail_default" style="color: rgb(7, 55, 99); font-family: verdana, sans-serif; font-size: small;"><br clear="none"></div><div class="yiv2665067204gmail_default" style="color: rgb(7, 55, 99); font-family: verdana, sans-serif; font-size: small;">[1] <a tabindex="-1" class="yiv2665067204" style="line-height: 16px; font-family: arial, sans-serif; font-size: 13px;" dir="ltr" href="https://www.google.com/url?q=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-1032&sa=D&sntz=1&usg=AFQjCNEK2x-tAD1jkyPxJsedeAGDWKI7BA" target="_blank" rel="nofollow" shape="rect">https://issues.jboss.org/browse/KEYCLOAK-1032</a></div></div><div class="yiv2665067204gmail_extra"><br clear="all"><div><div class="yiv2665067204gmail_signature"><div style="text-align: left;">Cordialmente.</div><div style="text-align: left;">Alex Gouvêa Vasconcelos</div>mailto:<a href="mailto:alexgv99@gmail.com" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:alexgv99@gmail.com">alexgv99@gmail.com</a><br clear="none">MSN: <a href="mailto:alexgv99@hotmail.com" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:alexgv99@hotmail.com">alexgv99@hotmail.com</a><br clear="none"><div><a href="http://about.me/alexgv99" target="_blank" rel="nofollow" shape="rect">http://about.me/alexgv99</a></div><div><br clear="none"></div></div></div>
<br clear="none"><div class="yiv2665067204gmail_quote">2015-03-23 12:06 GMT-03:00 Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:bburke@redhat.com">bburke@redhat.com</a>></span>:<br clear="none"><div class="qtdSeparateBR"><br><br></div><div class="yiv2665067204yqt2637900716" id="yiv2665067204yqt35681"><blockquote class="yiv2665067204gmail_quote" style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;">So, you have an "application admin", and you want this admin to only be<br clear="none">
able to add permissions for that app for a specific user? You'll have<br clear="none">
to submit a JIRA for that. Our queue is very large right now, so I<br clear="none">
can't promise much.<br clear="none">
<div><div class="yiv2665067204h5"><br clear="none">
On 3/23/2015 10:55 AM, Alex Gouvêa Vasconcelos wrote:<br clear="none">
> Hi all...<br clear="none">
><br clear="none">
> We started using keycloack a few weeks ago, trying a SSO solution for<br clear="none">
> our company. We used to use a proprietary system for<br clear="none">
> authentication/authorization and our users have a console admin which<br clear="none">
> allow them to manage users and roles per application.<br clear="none">
> We tried doing that in keycloack but the only way we found to do<br clear="none">
> something similar to that, was giving realm-management rights to the<br clear="none">
> application admin. This was not what we were trying to do, because those<br clear="none">
> rights allow the admin of app1 give permission to users of app2.<br clear="none">
><br clear="none">
> We found another user of this forum with a similar question in february<br clear="none">
> archives... [1] but the answer did not specify if this is in future<br clear="none">
> plans. If not, is there any help we could count on to implement ourselves?<br clear="none">
><br clear="none">
> [1] <a href="http://lists.jboss.org/pipermail/keycloak-user/2015-February/001540.html" target="_blank" rel="nofollow" shape="rect">http://lists.jboss.org/pipermail/keycloak-user/2015-February/001540.html</a><br clear="none">
><br clear="none">
> Best regards.<br clear="none">
> Alex Gouvêa Vasconcelos<br clear="none">
</div></div>> mailto:<a href="mailto:alexgv99@gmail.com" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:alexgv99@gmail.com">alexgv99@gmail.com</a> <mailto:<a href="mailto:alexgv99@gmail.com" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:alexgv99@gmail.com">alexgv99@gmail.com</a>><br clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
> _______________________________________________<br clear="none">
> keycloak-user mailing list<br clear="none">
> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br clear="none">
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" rel="nofollow" shape="rect">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none">
><br clear="none">
<span class="yiv2665067204HOEnZb"><font color="#888888"><br clear="none">
--<br clear="none">
Bill Burke<br clear="none">
JBoss, a division of Red Hat<br clear="none">
<a href="http://bill.burkecentral.com/" target="_blank" rel="nofollow" shape="rect">http://bill.burkecentral.com</a><br clear="none">
_______________________________________________<br clear="none">
keycloak-user mailing list<br clear="none">
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br clear="none">
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" rel="nofollow" shape="rect">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></font></span></blockquote></div></div><br clear="none"></div></div></div><br><div class="yqt2637900716" id="yqt65315">_______________________________________________<br clear="none">keycloak-user mailing list<br clear="none"><a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br clear="none"><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" shape="rect">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div><br><br></div> </div> </div> </div></body></html>