6:59 a.m.
Realm admin permissions added has been added to master.
A quick overview on how it works:
When a realm is created an application is created in the keycloak-admin realm. The
application name is '<realm name>-realm'. This application represents the
roles associated with the realm, and let's you add role mappings to users as well as
scope mappings to apps/clients. A realm app has the following roles:
* manage-realm
* manage-users
* manage-applications
* manage-clients
These roles are all read/write. In the future I imagine we can add some view only roles
(view-realm, view-users, view-applications, view-clients). I didn't add it this time
around as it would require a fair amount of changes to admin console (everything is forms
with buttons at the moment, so would have to add read only views).
When listing realms the admin console will only return the realms where the user has one
or more of the above roles. The admin console will also change the menu depending on what
roles the user has (for example a user that only has 'manage-clients' and
'manage-users' will not see 'settings' and 'applications').
There's a realm role called 'admin' as well. This is a composite role and when
creating a new realm all roles for the new realm are added to it. Only users with this
role is allowed to create, import or delete realms.
To create a new realm, with a user that has only 'manage-users' and
'manage-clients' access to this new realm, do the following:
1. Create a new realm called 'test'
2. Navigate to users for 'keycloak-admin' realm
(http://localhost:8081/auth/admin/index.html#/realms/keycloak-admin/users)
3. Create new user called 'test' (enable + reset creds)
4. Click on 'Role mappings'
5. In 'Applications' drop-down select 'test-realm'
6. Select 'manage-users' and 'manage-clients' and click the right-arrow to
add mapping
7. Log out of admin console, and login as 'test'
The pages in the admin console themselves haven't been disabled, only the menu to
navigate there. You can try opening for example:
http://localhost:8081/auth/admin/index.html#/realms/test/social-settings
http://localhost:8081/auth/admin/index.html#/realms/test/applications
11:41 a.m.
Added view roles as well. Admin console has been updated to make forms read-only if user
only has view role (there's a few widgets it doesn't work for, but should be fixed
soon).
The new roles are:
* view-realm
* view-users
* view-applications
* view-clients
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 25 February, 2014 12:59:39 PM
Subject: [keycloak-dev] Realm admin permissions added
Realm admin permissions added has been added to master.
A quick overview on how it works:
When a realm is created an application is created in the keycloak-admin
realm. The application name is '<realm name>-realm'. This application
represents the roles associated with the realm, and let's you add role
mappings to users as well as scope mappings to apps/clients. A realm app has
the following roles:
* manage-realm
* manage-users
* manage-applications
* manage-clients
These roles are all read/write. In the future I imagine we can add some view
only roles (view-realm, view-users, view-applications, view-clients). I
didn't add it this time around as it would require a fair amount of changes
to admin console (everything is forms with buttons at the moment, so would
have to add read only views).
When listing realms the admin console will only return the realms where the
user has one or more of the above roles. The admin console will also change
the menu depending on what roles the user has (for example a user that only
has 'manage-clients' and 'manage-users' will not see 'settings'
and
'applications').
There's a realm role called 'admin' as well. This is a composite role and
when creating a new realm all roles for the new realm are added to it. Only
users with this role is allowed to create, import or delete realms.
To create a new realm, with a user that has only 'manage-users' and
'manage-clients' access to this new realm, do the following:
1. Create a new realm called 'test'
2. Navigate to users for 'keycloak-admin' realm
(http://localhost:8081/auth/admin/index.html#/realms/keycloak-admin/users)
3. Create new user called 'test' (enable + reset creds)
4. Click on 'Role mappings'
5. In 'Applications' drop-down select 'test-realm'
6. Select 'manage-users' and 'manage-clients' and click the right-arrow
to
add mapping
7. Log out of admin console, and login as 'test'
The pages in the admin console themselves haven't been disabled, only the
menu to navigate there. You can try opening for example:
http://localhost:8081/auth/admin/index.html#/realms/test/social-settings
http://localhost:8081/auth/admin/index.html#/realms/test/applications
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
1:11 p.m.
Very nice.
On 2/26/2014 12:41 PM, Stian Thorgersen wrote:
Added view roles as well. Admin console has been updated to make
forms read-only if user only has view role (there's a few widgets it doesn't work
for, but should be fixed soon).
The new roles are:
* view-realm
* view-users
* view-applications
* view-clients
----- Original Message -----
> From: "Stian Thorgersen" <stian(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Tuesday, 25 February, 2014 12:59:39 PM
> Subject: [keycloak-dev] Realm admin permissions added
>
> Realm admin permissions added has been added to master.
>
> A quick overview on how it works:
>
> When a realm is created an application is created in the keycloak-admin
> realm. The application name is '<realm name>-realm'. This application
> represents the roles associated with the realm, and let's you add role
> mappings to users as well as scope mappings to apps/clients. A realm app has
> the following roles:
>
> * manage-realm
> * manage-users
> * manage-applications
> * manage-clients
>
> These roles are all read/write. In the future I imagine we can add some view
> only roles (view-realm, view-users, view-applications, view-clients). I
> didn't add it this time around as it would require a fair amount of changes
> to admin console (everything is forms with buttons at the moment, so would
> have to add read only views).
>
> When listing realms the admin console will only return the realms where the
> user has one or more of the above roles. The admin console will also change
> the menu depending on what roles the user has (for example a user that only
> has 'manage-clients' and 'manage-users' will not see
'settings' and
> 'applications').
>
> There's a realm role called 'admin' as well. This is a composite role
and
> when creating a new realm all roles for the new realm are added to it. Only
> users with this role is allowed to create, import or delete realms.
>
> To create a new realm, with a user that has only 'manage-users' and
> 'manage-clients' access to this new realm, do the following:
>
> 1. Create a new realm called 'test'
> 2. Navigate to users for 'keycloak-admin' realm
> (http://localhost:8081/auth/admin/index.html#/realms/keycloak-admin/users)
> 3. Create new user called 'test' (enable + reset creds)
> 4. Click on 'Role mappings'
> 5. In 'Applications' drop-down select 'test-realm'
> 6. Select 'manage-users' and 'manage-clients' and click the
right-arrow to
> add mapping
> 7. Log out of admin console, and login as 'test'
>
> The pages in the admin console themselves haven't been disabled, only the
> menu to navigate there. You can try opening for example:
>
> http://localhost:8081/auth/admin/index.html#/realms/test/social-settings
> http://localhost:8081/auth/admin/index.html#/realms/test/applications
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
5:12 a.m.
Added one more role create-realm. This is handy as it allows adding users that can create
new realms without giving them permissions to everything. When a realm is created and the
user is not an admin the user will be given all roles for that realm. As a side-effect
this also let's you have a SaaS type solution where self-registered users can create
and manage their own realms, but not access other realms.
Now it's only a bit more testing + documentation left for this
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 26 February, 2014 7:11:54 PM
Subject: Re: [keycloak-dev] Realm admin permissions added
Very nice.
On 2/26/2014 12:41 PM, Stian Thorgersen wrote:
> Added view roles as well. Admin console has been updated to make forms
> read-only if user only has view role (there's a few widgets it doesn't
> work for, but should be fixed soon).
>
> The new roles are:
>
> * view-realm
> * view-users
> * view-applications
> * view-clients
>
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Tuesday, 25 February, 2014 12:59:39 PM
>> Subject: [keycloak-dev] Realm admin permissions added
>>
>> Realm admin permissions added has been added to master.
>>
>> A quick overview on how it works:
>>
>> When a realm is created an application is created in the keycloak-admin
>> realm. The application name is '<realm name>-realm'. This
application
>> represents the roles associated with the realm, and let's you add role
>> mappings to users as well as scope mappings to apps/clients. A realm app
>> has
>> the following roles:
>>
>> * manage-realm
>> * manage-users
>> * manage-applications
>> * manage-clients
>>
>> These roles are all read/write. In the future I imagine we can add some
>> view
>> only roles (view-realm, view-users, view-applications, view-clients). I
>> didn't add it this time around as it would require a fair amount of
>> changes
>> to admin console (everything is forms with buttons at the moment, so would
>> have to add read only views).
>>
>> When listing realms the admin console will only return the realms where
>> the
>> user has one or more of the above roles. The admin console will also
>> change
>> the menu depending on what roles the user has (for example a user that
>> only
>> has 'manage-clients' and 'manage-users' will not see
'settings' and
>> 'applications').
>>
>> There's a realm role called 'admin' as well. This is a composite
role and
>> when creating a new realm all roles for the new realm are added to it.
>> Only
>> users with this role is allowed to create, import or delete realms.
>>
>> To create a new realm, with a user that has only 'manage-users' and
>> 'manage-clients' access to this new realm, do the following:
>>
>> 1. Create a new realm called 'test'
>> 2. Navigate to users for 'keycloak-admin' realm
>> (http://localhost:8081/auth/admin/index.html#/realms/keycloak-admin/users)
>> 3. Create new user called 'test' (enable + reset creds)
>> 4. Click on 'Role mappings'
>> 5. In 'Applications' drop-down select 'test-realm'
>> 6. Select 'manage-users' and 'manage-clients' and click the
right-arrow to
>> add mapping
>> 7. Log out of admin console, and login as 'test'
>>
>> The pages in the admin console themselves haven't been disabled, only the
>> menu to navigate there. You can try opening for example:
>>
>> http://localhost:8081/auth/admin/index.html#/realms/test/social-settings
>> http://localhost:8081/auth/admin/index.html#/realms/test/applications
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:19 a.m.
On 2/27/2014 6:12 AM, Stian Thorgersen wrote:
Added one more role create-realm. This is handy as it allows adding
users that can create new realms without giving them permissions to everything. When a
realm is created and the user is not an admin the user will be given all roles for that
realm. As a side-effect this also let's you have a SaaS type solution where
self-registered users can create and manage their own realms, but not access other
realms.
Now it's only a bit more testing + documentation left for this
Awesome! You figured out the chicken and egg problem with SaaS that
baffled me for awhile. Very cool Stian.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3955
days inactive
3957
days old
4 comments
2 participants
participants (2)
-
Bill Burke -
Stian Thorgersen