I don't agree that it's simpler, but I agree with your other points. I'm not to worried about the simplicity as I assume this won't be used by most people, only those that need to limit what roles specific admins can grant.

So we need a role to allow granting all roles and a role to manage role granting permissions?

This further speaks to us introducing role namespaces as then users can define the role granting permissions roles (hm.. simpler did you say?) in a separate namespace.

BTW in the future with the authz services hopefully users can define their own policies for securing the admin endpoints. We'd ship with some default policies and permissions, then users can change that however they want. The admin endpoints would just be secured by the authz services, rather than our bespoke code we use ATM.

On 5 November 2015 at 21:58, Bill Burke <bburke@redhat.com> wrote:


On 11/5/2015 1:58 PM, Stian Thorgersen wrote:
Sounds complex and confusing to me. Also how do you specify how's
allowed to manage the role granting permissions?


 My proposal is *simpler* and very explicit.  All this is is assigning admin permissions to a role.



There would be a realm-wide role for admins that are allowed to set up role granting permissions.  Just like we have for view-user, etc.  So, the master admin sets up the role granting permissions, then assigns role granting roles to each subset of "junior" admins.


A simpler approach would be to simply require an admin to have a role to
be able to grant it to another user. When an admin creates a role they
would be given that role as well. You an also composite roles to then
achieve the same as you're mentioning above.


 I started with that approach, but I thought it was too implicit and confusing.  There will be cases where a user has admin permissions for a client, but you don't want to allow them to grant this permission to others.  Its like contributors at git hub.  Contributors can merge PRs, but they can't grant others contributor access.




On 5 November 2015 at 18:31, Bill Burke <bburke@redhat.com
<mailto:bburke@redhat.com>> wrote:

    One of things that we need to be able to do if we have the idea of a
    "Group Admin" is to control specifically which role mappings an admin is
    allowed to grant.  One of the places this comes up currently is that if
    an admin has the "manage-users" role, they can pretty much add any
    permission they want to themselves and get access to the whole realm.

    IMO, this is something we need now.  It needs to be built into our
    admin UI.

    So, how could we add the ability to control which roles an admin is
    allowed to grant? Under the "Roles" menu option there would be a "Grant
    Permissions" tab.  Here, the admin can select a role and specify a list
    of roles that can be granted if a user has that role.

    Here's an example:

    Let's say there are 2 sales applications "reporting" and "analytics".
    Each of the apps has defined an "admin" and "user" role. We want to have
    a developer manage user access to these systems.

    1. Define "Sales Access Control Manager" role.
    2. Go into "Roles" menu
    3. Go to the "Role Granting Permissions" tab.
    4. Select the "Sales Access Control Manager" role
    5. Select and add the "reporting.user", "reporting.admin",
    "analytics.user", and "analytics.admin" roles to the list of roles a
    "Sales Access Control Manager" is allowed to grant.



--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com