Added this comment to the previous thread, but copy/pasting here:

I was thinking a bit more about trust between realms and I think that should be limited to authentication only. An admin with certain roles in one realm shouldn't necessarily have the same roles in another realm. So I think we need either a user that can exist in multiple realms or utilize identity brokering to get "linked" users. I'm worried if we allow roles from one realm to give admin permissions in another it will be hard to get a full picture of who has access to the realm. It may also give unintentional permissions. Also, if we introduce admins that can only manage a "group" of users or roles that specify what roles an admin can grant that would require users in the specific realm to manage.

On 4 December 2015 at 17:23, Bill Burke <bburke@redhat.com> wrote:

To establish trust between realms I was thinking about a simple table:

realm|trusted-realm|role

Here's some example records:

test-realm|master|manage-clients
test-realm|master|view-users

means

"test-realm" trusts the "master" realm, but they can only
"manage-clients" and "view-users"

The "role" column would just be the name of the realm, not an id and
would reference the "realm-management" client roles (which will be moved
to security-admin-console client).

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev