Added one more role create-realm. This is handy as it allows adding users that can create
new realms without giving them permissions to everything. When a realm is created and the
user is not an admin the user will be given all roles for that realm. As a side-effect
this also let's you have a SaaS type solution where self-registered users can create
and manage their own realms, but not access other realms.
Now it's only a bit more testing + documentation left for this
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
Sent: Wednesday, 26 February, 2014 7:11:54 PM
Subject: Re: [keycloak-dev] Realm admin permissions added
On 2/26/2014 12:41 PM, Stian Thorgersen wrote:
> Added view roles as well. Admin console has been updated to make forms
> read-only if user only has view role (there's a few widgets it doesn't
> work for, but should be fixed soon).
> The new roles are:
> * view-realm
> * view-users
> * view-applications
> * view-clients
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Tuesday, 25 February, 2014 12:59:39 PM
>> Subject: [keycloak-dev] Realm admin permissions added
>> Realm admin permissions added has been added to master.
>> A quick overview on how it works:
>> When a realm is created an application is created in the keycloak-admin
>> realm. The application name is '<realm name>-realm'. This
>> represents the roles associated with the realm, and let's you add role
>> mappings to users as well as scope mappings to apps/clients. A realm app
>> the following roles:
>> * manage-realm
>> * manage-users
>> * manage-applications
>> * manage-clients
>> These roles are all read/write. In the future I imagine we can add some
>> only roles (view-realm, view-users, view-applications, view-clients). I
>> didn't add it this time around as it would require a fair amount of
>> to admin console (everything is forms with buttons at the moment, so would
>> have to add read only views).
>> When listing realms the admin console will only return the realms where
>> user has one or more of the above roles. The admin console will also
>> the menu depending on what roles the user has (for example a user that
>> has 'manage-clients' and 'manage-users' will not see
>> There's a realm role called 'admin' as well. This is a composite
>> when creating a new realm all roles for the new realm are added to it.
>> users with this role is allowed to create, import or delete realms.
>> To create a new realm, with a user that has only 'manage-users' and
>> 'manage-clients' access to this new realm, do the following:
>> 1. Create a new realm called 'test'
>> 2. Navigate to users for 'keycloak-admin' realm
>> 3. Create new user called 'test' (enable + reset creds)
>> 4. Click on 'Role mappings'
>> 5. In 'Applications' drop-down select 'test-realm'
>> 6. Select 'manage-users' and 'manage-clients' and click the
>> add mapping
>> 7. Log out of admin console, and login as 'test'
>> The pages in the admin console themselves haven't been disabled, only the
>> menu to navigate there. You can try opening for example:
>> keycloak-dev mailing list
> keycloak-dev mailing list
JBoss, a division of Red Hat
keycloak-dev mailing list