<div dir="ltr">OK, agreed. We thought this out of consistency, but if that's not a good design we surely can consider a better one.</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 24, 2015 at 9:44 AM, Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
----- Original Message -----<br>
> From: "Thiago Presa" <<a href="mailto:thiago.addevico@gmail.com">thiago.addevico@gmail.com</a>><br>
> To: <a href="mailto:stian@redhat.com">stian@redhat.com</a><br>
> Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> Sent: Tuesday, 24 March, 2015 1:41:16 PM<br>
> Subject: Re: [keycloak-user] Application Management<br>
><br>
</span><span class="">> Hi there,<br>
><br>
> I'm Alex's coworker and I'll be working on this too.<br>
><br>
> We were just discussing your idea, and it seems to fit our requirements.<br>
><br>
> As far as we have seen, keycloak already has a realm-admin concept.<br>
> Whenever a realm "R" is created, it creates a R-realm application with<br>
> a bunch of default roles (manage-users, manage-roles, etc.) into the<br>
> realm master.<br>
><br>
> We are currently thinking if we could mimic this structure for<br>
> applications. What do you think?<br>
<br>
</span>It's already messy with the way I modelled it and adding the same for applications would be even worse. I don't see why that's needed though if we'd add what I proposed.<br>
<div class="HOEnZb"><div class="h5"><br>
><br>
> > I had an idea a while back that is a simple way to achieve what you're<br>
> > asking for. Th> e idea would be to only allow an admin to grant roles that<br>
> > the admin has access to.<br>
><br>
> > Basically:> * A user with admin (super user) role can grant any roles (we<br>
> > would need to add a per-> realm super user role)<br>
><br>
> > * A user with the role manage-users and some roles on app1 can only grant<br>
> > other users > the roles on app1<br>
><br>
> > * A user with the role manage-users and some roles on app2 can only grant<br>
> > other users > the roles on app2<br>
><br>
> ><br>
><br>
> > This is something we should add in either case (to prevent users granting<br>
> themselves more access). Would it solve your problems?<br>
><br>
</div></div></blockquote></div><br></div>