11:41 a.m.
Added view roles as well. Admin console has been updated to make forms read-only if user
only has view role (there's a few widgets it doesn't work for, but should be fixed
soon).
The new roles are:
* view-realm
* view-users
* view-applications
* view-clients
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 25 February, 2014 12:59:39 PM
Subject: [keycloak-dev] Realm admin permissions added
Realm admin permissions added has been added to master.
A quick overview on how it works:
When a realm is created an application is created in the keycloak-admin
realm. The application name is '<realm name>-realm'. This application
represents the roles associated with the realm, and let's you add role
mappings to users as well as scope mappings to apps/clients. A realm app has
the following roles:
* manage-realm
* manage-users
* manage-applications
* manage-clients
These roles are all read/write. In the future I imagine we can add some view
only roles (view-realm, view-users, view-applications, view-clients). I
didn't add it this time around as it would require a fair amount of changes
to admin console (everything is forms with buttons at the moment, so would
have to add read only views).
When listing realms the admin console will only return the realms where the
user has one or more of the above roles. The admin console will also change
the menu depending on what roles the user has (for example a user that only
has 'manage-clients' and 'manage-users' will not see 'settings'
and
'applications').
There's a realm role called 'admin' as well. This is a composite role and
when creating a new realm all roles for the new realm are added to it. Only
users with this role is allowed to create, import or delete realms.
To create a new realm, with a user that has only 'manage-users' and
'manage-clients' access to this new realm, do the following:
1. Create a new realm called 'test'
2. Navigate to users for 'keycloak-admin' realm
(http://localhost:8081/auth/admin/index.html#/realms/keycloak-admin/users)
3. Create new user called 'test' (enable + reset creds)
4. Click on 'Role mappings'
5. In 'Applications' drop-down select 'test-realm'
6. Select 'manage-users' and 'manage-clients' and click the right-arrow
to
add mapping
7. Log out of admin console, and login as 'test'
The pages in the admin console themselves haven't been disabled, only the
menu to navigate there. You can try opening for example:
http://localhost:8081/auth/admin/index.html#/realms/test/social-settings
http://localhost:8081/auth/admin/index.html#/realms/test/applications
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev