Re: [keycloak-dev] Restrict admins to only allow granting roles they are privileged to

From: "Marek Posolda" <mposolda(a)redhat.com&gt; To: keycloak-dev(a)lists.jboss.org Sent: Wednesday, 25 March, 2015 12:27:24 PM Subject: Re: [keycloak-dev] Restrict admins to only allow granting roles they are privileged to +1 for the simple fix, however I agree that more flexibility might be needed.

We may need some more fine grained authorization. For example user is authorized to manage application "app1" but not application "app2" (currently user with "manage-applications" role can manage any application). Similarly I may want some user to grant/revoke other users all application roles of particular application etc. I wonder if we should add the concept of "permission" ? Basically permission would consist of action and target object (could support wildcards). Permissions are given to roles. For example current role "manage-applications" will have permissions like this: - create-applications - update-applications: * - remove-application: * So member of this role can CRUD any application. Now when users from role "myapp1/foo-role" should be able to grant/revoke this role to other users, the permission given to the foo-role will be: - grant-role: "myapp1", "foo-role" When users from role "myapp1/bar-role" should be able to grant/revoke all roles from application "myapp1" to other users, the permission will be: - grant-role: "myapp1", "*" The tricky part is to have the permission model flexible enough, but not be too complex at the same time;-) Maybe it should be driven mainly by real use-cases from community?

Marek On 25.3.2015 06:49, Stian Thorgersen wrote: > I propose we add a check when an admin wants to grant a role. For a admin > to be allowed to grant a role the admin either has to have the > admin/realm-admin role or have the role itself. This prevents admins from > adding more privileges to themselves than they already have and would also > be a way to allow admins that can only manage roles for specific > applications. > > This should be a simple fix. In the future I think we may need to re-design > how we map permissions for Keycloak. I'm really not that happy with the > realm apps and such, it's messy and not flexible enough. > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev