Re: [keycloak-user] Client roles for 'security-admin-console' application are not fine grained enough

Hi, after reading the ticket KEYCLOAK-528 I've encountered two other issues in the "security-admin-console" application (tested on RH SSO 7.0.0): 1) As soon as a realm user gets the 'manage-users' role, he can manage "User federation" settings and even delete it. This can result in unintentional removal of all users linked with the user federation provider and thus affect potentially millions of users. 2) Users having 'view-users' role can view "User Federation". "Delete" button is visible as well although it does not work finally. IMO "User federation" should be covered by the realm management roles instead. Additionally the provided roles for the 'realm-management' client are not fine grained enough IMO. One role per REST method would be ideal and, I suppose, simplier to consider in the Keycloak Admin API. The "security-admin-console" application without fine grained roles exposes too much risk in real life scenarios and so makes it unusable. One use case in mind: prevent deletion of any kind for Helpdesk employees e.g. managing users. Having dedicated roles for DELETE operation would make such task possible. Kind regards Valerij Timofeev _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user