Re: [keycloak-dev] initial fine-grain admin permissions
On 3/22/17 9:37 AM, Marek Posolda wrote:
On 21/03/17 22:10, Bill Burke wrote:
> Here's what we want to be able to manage for fine-grain admin
> permissions for the 1st iteration. If you think we need more, let me
> know, but I want to keep this list as small as possible.
>
> User management
>
> * Admin can only apply certain roles to a user
> * Admin can view users of a specific group
> * Admin can manage users of a specific group (creds, role
> mappings, etc)
Maybe also:
* Admin can only apply roles/groups, which he himself has
AFAIK currently we have issues that user with "manage-users" role can
assign any role to himself and hence gain permission to everything.
This falls under the category of "Admin can only apply certain roles to
a user". We're talking implementation detail here, but the way I
envision it will work is each role can define policies on how it is
allowed to be assigned. For example: the "manage-realm" role can only
be assigned if the user has the "admin" role. Also, any policy will be
defined using the Authz service.
Bill