<div dir="ltr"><pre style="color:rgb(0,0,0)">Hi there,</pre><pre style="color:rgb(0,0,0)">I'm Alex's coworker and I'll be working on this too.</pre><pre style="color:rgb(0,0,0)">We were just discussing your idea, and it seems to fit our requirements.</pre><pre style="color:rgb(0,0,0)">As far as we have seen, keycloak already has a realm-admin concept. Whenever a realm "R" is created, it creates a R-realm application with a bunch of default roles (manage-users, manage-roles, etc.) into the realm master. </pre><pre style="color:rgb(0,0,0)">We are currently thinking if we could mimic this structure for applications. What do you think?</pre><pre style="color:rgb(0,0,0)">> I had an idea a while back that is a simple way to achieve what you're asking for. Th<span style="font-family:arial,sans-serif">> </span><span style="font-family:arial,sans-serif">e idea would be to only allow an admin to grant roles that the admin has access to.</span></pre><pre style="color:rgb(0,0,0)"><span style="font-family:arial,sans-serif">> </span>Basically:
<span style="font-family:arial,sans-serif">> </span>* A user with admin (super user) role can grant any roles (we would need to add a per-<span style="font-family:arial,sans-serif">> </span><span style="font-family:arial,sans-serif">realm super user role)</span></pre><pre style="color:rgb(0,0,0)"><span style="font-family:arial,sans-serif">> </span>* A user with the role manage-users and some roles on app1 can only grant other users <span style="font-family:arial,sans-serif">> </span><span style="font-family:arial,sans-serif">the roles on app1</span></pre><pre style="color:rgb(0,0,0)"><span style="font-family:arial,sans-serif">> </span>* A user with the role manage-users and some roles on app2 can only grant other users <span style="font-family:arial,sans-serif">> </span><span style="font-family:arial,sans-serif">the roles on app2</span></pre><pre style="color:rgb(0,0,0)"><pre>> </pre><span style="font-family:arial,sans-serif">> </span>This is something we should add in either case (to prevent users granting themselves more access). Would it solve your problems? <br><i></i></pre></div>