Re: [keycloak-dev] controlling which roles an admin can grant

Sounds complex and confusing to me. Also how do you specify how's allowed to manage the role granting permissions?

A simpler approach would be to simply require an admin to have a role to be able to grant it to another user. When an admin creates a role they would be given that role as well. You an also composite roles to then achieve the same as you're mentioning above.

On 5 November 2015 at 18:31, Bill Burke <bburke(a)redhat.com <mailto:bburke@redhat.com>> wrote: One of things that we need to be able to do if we have the idea of a "Group Admin" is to control specifically which role mappings an admin is allowed to grant. One of the places this comes up currently is that if an admin has the "manage-users" role, they can pretty much add any permission they want to themselves and get access to the whole realm. IMO, this is something we need now. It needs to be built into our admin UI. So, how could we add the ability to control which roles an admin is allowed to grant? Under the "Roles" menu option there would be a "Grant Permissions" tab. Here, the admin can select a role and specify a list of roles that can be granted if a user has that role. Here's an example: Let's say there are 2 sales applications "reporting" and "analytics". Each of the apps has defined an "admin" and "user" role. We want to have a developer manage user access to these systems. 1. Define "Sales Access Control Manager" role. 2. Go into "Roles" menu 3. Go to the "Role Granting Permissions" tab. 4. Select the "Sales Access Control Manager" role 5. Select and add the "reporting.user", "reporting.admin", "analytics.user", and "analytics.admin" roles to the list of roles a "Sales Access Control Manager" is allowed to grant.