<div dir="ltr">Ah, yes, I didn't understand your proposal properly. Wouldn'tĀ giving manage-users to app-admins wouldn't cause trouble, since app-admins could create and modify user accounts?</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 27, 2015 at 1:58 AM, Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Well, yes.. I told you it was a bit rubbish and would need some re-design to implement more fine grained permissions. Doing that is a relatively big task and is not a high priority for us ATM.<br>
<br>
I'm a bit confused by this email as I proposed a simple solution that would resolve your requirements. If an admin can only grant permissions that admin has access to all you have to do is to create an admin that can only access roles for certain applications and your problem should be solved. That's a simple solution that we can add soon.<br>
<span class="im HOEnZb"><br>
----- Original Message -----<br>
> From: "Thiago Presa" <<a href="mailto:thiago.addevico@gmail.com">thiago.addevico@gmail.com</a>><br>
</span><div class="HOEnZb"><div class="h5">> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> Sent: Thursday, 26 March, 2015 8:10:07 PM<br>
> Subject: Re: [keycloak-user] Application Management<br>
><br>
> So I've spent the last couple of days playing with the source. :-)<br>
><br>
> The current authorization mechanism is based on Realm/RealmApp i.e.<br>
> whenever an API resource is called, check if the User has the required<br>
> Right (manage, any, view) in the resource's Realm/RealmApp.<br>
><br>
> Consider, for example, the URI<br>
> /admin/realms/{realm}/applications-by-id/{app-name}/roles/{role-name}. What<br>
> I was trying to do is to create a permission for {app-name} so that this<br>
> API call wouldn't require any Realm/RealmApp right.<br>
><br>
> The problem I see is that this API call trigger many methods (i.e.<br>
> AdminRoot#getRealmsAdmin, RealmsAdminResource#getRealmAdmin,<br>
> RealmAdminResource#getApplicationsById, and so on...), and at those methods<br>
> there is not enough information to figure out whether this is:<br>
><br>
> 1- An app-specific call and thus should be authorized even without realm<br>
> authorization, or;<br>
> 2- Not app-specific call and this should be properly authorized by<br>
> Realm/RealmApp.<br>
><br>
> Even in the case of (1), the information on which app should I check for<br>
> authorization is not available.<br>
><br>
> So it seems to me that this resource-loading mechanisms pressuposes an<br>
> authorization mechanism that checks only against the realm for permission,<br>
> and changing this seems daunting to me.<br>
><br>
> Do you guys have any idea on a more local change I could make to achieve<br>
> the intended behavior?<br>
><br>
> On Tue, Mar 24, 2015 at 2:33 PM, Thiago Presa <<a href="mailto:thiago.addevico@gmail.com">thiago.addevico@gmail.com</a>><br>
> wrote:<br>
><br>
> > OK, agreed. We thought this out of consistency, but if that's not a good<br>
> > design we surely can consider a better one.<br>
> ><br>
> > On Tue, Mar 24, 2015 at 9:44 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > wrote:<br>
> ><br>
> >><br>
> >><br>
> >> ----- Original Message -----<br>
> >> > From: "Thiago Presa" <<a href="mailto:thiago.addevico@gmail.com">thiago.addevico@gmail.com</a>><br>
> >> > To: <a href="mailto:stian@redhat.com">stian@redhat.com</a><br>
> >> > Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> >> > Sent: Tuesday, 24 March, 2015 1:41:16 PM<br>
> >> > Subject: Re: [keycloak-user] Application Management<br>
> >> ><br>
> >> > Hi there,<br>
> >> ><br>
> >> > I'm Alex's coworker and I'll be working on this too.<br>
> >> ><br>
> >> > We were just discussing your idea, and it seems to fit our requirements.<br>
> >> ><br>
> >> > As far as we have seen, keycloak already has a realm-admin concept.<br>
> >> > Whenever a realm "R" is created, it creates a R-realm application with<br>
> >> > a bunch of default roles (manage-users, manage-roles, etc.) into the<br>
> >> > realm master.<br>
> >> ><br>
> >> > We are currently thinking if we could mimic this structure for<br>
> >> > applications. What do you think?<br>
> >><br>
> >> It's already messy with the way I modelled it and adding the same for<br>
> >> applications would be even worse. I don't see why that's needed though if<br>
> >> we'd add what I proposed.<br>
> >><br>
> >> ><br>
> >> > > I had an idea a while back that is a simple way to achieve what you're<br>
> >> > > asking for. Th> e idea would be to only allow an admin to grant roles<br>
> >> that<br>
> >> > > the admin has access to.<br>
> >> ><br>
> >> > > Basically:> * A user with admin (super user) role can grant any roles<br>
> >> (we<br>
> >> > > would need to add a per-> realm super user role)<br>
> >> ><br>
> >> > > * A user with the role manage-users and some roles on app1 can only<br>
> >> grant<br>
> >> > > other users > the roles on app1<br>
> >> ><br>
> >> > > * A user with the role manage-users and some roles on app2 can only<br>
> >> grant<br>
> >> > > other users > the roles on app2<br>
> >> ><br>
> >> > ><br>
> >> ><br>
> >> > > This is something we should add in either case (to prevent users<br>
> >> granting<br>
> >> > themselves more access). Would it solve your problems?<br>
> >> ><br>
> >><br>
> ><br>
> ><br>
><br>
</div></div></blockquote></div><br></div>