Re: [keycloak-dev] cross-realm administration

On 08/12/15 13:50, Bill Burke wrote: > Continuing our hangout from yesterday... > > The primary goal, IMO is to 1) clean up the master realm realm clients > 2) remove the master realm requirement for cross-realm impersonation 3) > give possibility to remove the master realm > > Right now non-master realms trust admins in the master realm. These > "child" realms allow the master realm to decide which users in the > master realm are allowed to access it. I'll call this "cross-realm > administration". We could continue this model, but without role > namespaces you'd have to create realm-clients in each trusted realm. > > Another idea is to do something really simple. Realm A decides to trust > Realm B and they "share" admin roles. If user in Realm B has > "view-user" permission, then he also has "view-user" permission. The UI > is simple and there's no need for Realm A and B to know anything else > about each other. This is a simpler version of "cross-realm > administration" which doesn't give you any fine grain per-realm control. > This requires very little UI work which is the big blocker for me. > > Building on that idea, which is what I started to implement, is that > Realm A "shares" admin roles still, but only allows certain permissions > for Realm B. Realm A grants admins in Realm B "view user and create > client" How about the case when I want to have: 1) user "a-admin" in realm A, which is supposed to have "view-user" permission just for realm A 2) user "b-admin" in realm B, which is supposed to have "view-user" permission just for realm B 3) user "admin" in realm A, which is supposed to have "view-user" permission for both realms A and B If I understand correctly, I won't be able to model this because: For rule (3), I need realm B to trust realm A . However that implies that user "a-admin" from realm A will be able to have "view-user" for realm B, which breaks rule (1) and is something I don't want. But still, maybe most of the people don't need something powerful and this simple model will be sufficient for them? Maybe we can go with simple model for now and later (after 1.0) we can introduce something more powerful and incorporate Pedro's authorization stuff to be able to specify more fine-grained permissions?