10:33 a.m.
Hi there,
I’m looking to leverage Keycloak as the primary IdP for our SaaS platform. We have many
tenants, each with their own sub-tenants ( their customers ) and would like to provide
them with the ability to administer themselves (and enable sub-tenant users to admin the
sub-tenant, etc). Based on my current research, which includes the multi-tenant
example in the GitHub repo, it appears that multiple tenants are supported via separate
realms. My current thinking is that I’d like to use a single realm as I’d like for a
platform administrator (like myself) to be able to manage all users in a single place, use
a group hierarchy to support multiple tenants, and apply roles to specific users in a
group to eg. administer the users or create a sub group for a new tenant.
Something like this:
REALM
|
|- User 1 (user-admin role)
|
|- Tenant 1 Group
| |
| |- User 1.1 (user-admin role)
| |- User 1.2
| |- …
| |- User 1.n
|
|- Tenant 2 Group
| |
| |- User 2.1 (user-admin role)
| |- User 2.1
| |- …
| |- User 2.n
| |
| |- Tenant 3 Group
| |
| |- User 3.1 (user-admin role)
| |- User 3.2
| |- …
| |- User 3.n
From the above we’re looking for:
* User 1 is the realm/platform administrator and has full control over all groups/users
* User 1.1 is the administrator for Tenant 1
* User 2.1 is the administrator for Tenants 2 and 3
* User 3.1 is the administrator for Tenant 3
I came across this thread
<http://lists.jboss.org/pipermail/keycloak-user/2015-October/003359.html> and
specifically this comment from Bill Burke:
I like that idea. A better alternative might be that each group has
an
"user-admin" role. If a user has the "user-admin" role of the group,
it
can administer users in that group and assign roles defined in that
group. One thing to really think about is, what about sub-groups. Can
an admin of the parent group administer sub groups?
This post is from October 2015,
so I’m curious if the ability to grant specific roles to specific users in a specific
group has been implemented at all? I can’t find anything about it in the docs. I also
just noticed this JIRA issue <https://issues.jboss.org/browse/KEYCLOAK-3168> but am
not sure if it’s the same thing.
Disclaimer: I’m new to Keycloak so maybe am misunderstanding and/or going about this
incorrectly… please let me know if I can provide more information; I can provide a more
complete description of my goals / requirements if that would help.
Thank you!
Best,
Shanon
2783
days inactive
2783
days old
0 comments
1 participants
participants (1)
-
Shanon Levenherz