Added view roles as well. Admin console has been updated to make
forms read-only if user only has view role (there's a few widgets it doesn't work
for, but should be fixed soon).
The new roles are:
* view-realm
* view-users
* view-applications
* view-clients
----- Original Message -----
> From: "Stian Thorgersen" <stian(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Tuesday, 25 February, 2014 12:59:39 PM
> Subject: [keycloak-dev] Realm admin permissions added
>
> Realm admin permissions added has been added to master.
>
> A quick overview on how it works:
>
> When a realm is created an application is created in the keycloak-admin
> realm. The application name is '<realm name>-realm'. This application
> represents the roles associated with the realm, and let's you add role
> mappings to users as well as scope mappings to apps/clients. A realm app has
> the following roles:
>
> * manage-realm
> * manage-users
> * manage-applications
> * manage-clients
>
> These roles are all read/write. In the future I imagine we can add some view
> only roles (view-realm, view-users, view-applications, view-clients). I
> didn't add it this time around as it would require a fair amount of changes
> to admin console (everything is forms with buttons at the moment, so would
> have to add read only views).
>
> When listing realms the admin console will only return the realms where the
> user has one or more of the above roles. The admin console will also change
> the menu depending on what roles the user has (for example a user that only
> has 'manage-clients' and 'manage-users' will not see
'settings' and
> 'applications').
>
> There's a realm role called 'admin' as well. This is a composite role
and
> when creating a new realm all roles for the new realm are added to it. Only
> users with this role is allowed to create, import or delete realms.
>
> To create a new realm, with a user that has only 'manage-users' and
> 'manage-clients' access to this new realm, do the following:
>
> 1. Create a new realm called 'test'
> 2. Navigate to users for 'keycloak-admin' realm
> (
http://localhost:8081/auth/admin/index.html#/realms/keycloak-admin/users)
> 3. Create new user called 'test' (enable + reset creds)
> 4. Click on 'Role mappings'
> 5. In 'Applications' drop-down select 'test-realm'
> 6. Select 'manage-users' and 'manage-clients' and click the
right-arrow to
> add mapping
> 7. Log out of admin console, and login as 'test'
>
> The pages in the admin console themselves haven't been disabled, only the
> menu to navigate there. You can try opening for example:
>
>
http://localhost:8081/auth/admin/index.html#/realms/test/social-settings
>
http://localhost:8081/auth/admin/index.html#/realms/test/applications
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev