<div dir="ltr"><div>So I've spent the last couple of days playing with the source. :-)<br></div><div><br></div><div>The current authorization mechanism is based on Realm/RealmApp i.e. whenever an API resource is called, check if the User has the required Right (manage, any, view) in the resource's Realm/RealmApp.</div><div><br></div><div>Consider, for example, the URI /admin/realms/{realm}/applications-by-id/{app-name}/roles/{role-name}. What I was trying to do is to create a permission for {app-name} so that this API call wouldn't require any Realm/RealmApp right.</div><div><br></div><div>The problem I see is that this API call trigger many methods (i.e. AdminRoot#getRealmsAdmin, RealmsAdminResource#getRealmAdmin, RealmAdminResource#getApplicationsById, and so on...), and at those methods there is not enough information to figure out whether this is:</div><div><br></div><div>1- An app-specific call and thus should be authorized even without realm authorization, or;</div><div>2- Not app-specific call and this should be properly authorized by Realm/RealmApp.</div><div><br></div><div>Even in the case of (1), the information on which app should I check for authorization is not available.</div><div><br></div><div>So it seems to me that this resource-loading mechanisms pressuposes an authorization mechanism that checks only against the realm for permission, and changing this seems daunting to me.</div><div><br></div><div>Do you guys have any idea on a more local change I could make to achieve the intended behavior?</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 24, 2015 at 2:33 PM, Thiago Presa <span dir="ltr"><<a href="mailto:thiago.addevico@gmail.com" target="_blank">thiago.addevico@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">OK, agreed. We thought this out of consistency, but if that's not a good design we surely can consider a better one.</div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 24, 2015 at 9:44 AM, Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span><br>
<br>
----- Original Message -----<br>
> From: "Thiago Presa" <<a href="mailto:thiago.addevico@gmail.com" target="_blank">thiago.addevico@gmail.com</a>><br>
> To: <a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a><br>
> Cc: <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
> Sent: Tuesday, 24 March, 2015 1:41:16 PM<br>
> Subject: Re: [keycloak-user] Application Management<br>
><br>
</span><span>> Hi there,<br>
><br>
> I'm Alex's coworker and I'll be working on this too.<br>
><br>
> We were just discussing your idea, and it seems to fit our requirements.<br>
><br>
> As far as we have seen, keycloak already has a realm-admin concept.<br>
> Whenever a realm "R" is created, it creates a R-realm application with<br>
> a bunch of default roles (manage-users, manage-roles, etc.) into the<br>
> realm master.<br>
><br>
> We are currently thinking if we could mimic this structure for<br>
> applications. What do you think?<br>
<br>
</span>It's already messy with the way I modelled it and adding the same for applications would be even worse. I don't see why that's needed though if we'd add what I proposed.<br>
<div><div><br>
><br>
> > I had an idea a while back that is a simple way to achieve what you're<br>
> > asking for. Th> e idea would be to only allow an admin to grant roles that<br>
> > the admin has access to.<br>
><br>
> > Basically:> * A user with admin (super user) role can grant any roles (we<br>
> > would need to add a per-> realm super user role)<br>
><br>
> > * A user with the role manage-users and some roles on app1 can only grant<br>
> > other users > the roles on app1<br>
><br>
> > * A user with the role manage-users and some roles on app2 can only grant<br>
> > other users > the roles on app2<br>
><br>
> ><br>
><br>
> > This is something we should add in either case (to prevent users granting<br>
> themselves more access). Would it solve your problems?<br>
><br>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>