I propose we add a check when an admin wants to grant a role. For a admin to be allowed to
grant a role the admin either has to have the admin/realm-admin role or have the role
itself. This prevents admins from adding more privileges to themselves than they already
have and would also be a way to allow admins that can only manage roles for specific
applications.
This should be a simple fix. In the future I think we may need to re-design how we map
permissions for Keycloak. I'm really not that happy with the realm apps and such,
it's messy and not flexible enough.
Show replies by thread