Re: [keycloak-dev] controlling which roles an admin can grant

One of things that we need to be able to do if we have the idea of a "Group Admin" is to control specifically which role mappings an admin is allowed to grant. One of the places this comes up currently is that if an admin has the "manage-users" role, they can pretty much add any permission they want to themselves and get access to the whole realm. IMO, this is something we need now. It needs to be built into our admin UI. So, how could we add the ability to control which roles an admin is allowed to grant? Under the "Roles" menu option there would be a "Grant Permissions" tab. Here, the admin can select a role and specify a list of roles that can be granted if a user has that role. Here's an example: Let's say there are 2 sales applications "reporting" and "analytics". Each of the apps has defined an "admin" and "user" role. We want to have a developer manage user access to these systems. 1. Define "Sales Access Control Manager" role. 2. Go into "Roles" menu 3. Go to the "Role Granting Permissions" tab. 4. Select the "Sales Access Control Manager" role 5. Select and add the "reporting.user", "reporting.admin", "analytics.user", and "analytics.admin" roles to the list of roles a "Sales Access Control Manager" is allowed to grant. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev