Re: [keycloak-dev] initial fine-grain admin permissions

Here's what we want to be able to manage for fine-grain admin permissions for the 1st iteration. If you think we need more, let me know, but I want to keep this list as small as possible. User management * Admin can only apply certain roles to a user * Admin can view users of a specific group * Admin can manage users of a specific group (creds, role mappings, etc) Group Management * Admin can only manage a specific group * Admin can only apply certain roles to a group * Admin can only manage attributes of a specific group * Admin can control group membership (add/remove members) Client management: * Admin can only manage a specific client. * Admin can manage only configuration for a specific client and not scope mappings or mappers. We have this distinction so that rogues can't expand the scope of the client beyond what it is allowed to. * Service accounts can manage the configuration of the client by default? _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev