We're aware that permissions are not fine grained enough at the moment and we are planning on providing something better in the future. It will however be a while until we are able to do so.

On 22 July 2016 at 16:36, Valerij Timofeev <valerij.timofeev@gmail.com> wrote:
Hi,

after reading the ticket KEYCLOAK-528 I've encountered two other issues in the "security-admin-console" application (tested on RH SSO 7.0.0):

1) As soon as a realm user gets the 'manage-users' role, he can manage "User federation" settings and even delete it. This can result in unintentional removal of all users linked with the user federation provider and thus affect potentially millions of users.

2) Users having 'view-users' role can view "User Federation". "Delete" button is visible as well although it does not work finally.

IMO "User federation" should be covered by the realm management roles instead.

Additionally the provided roles for the 'realm-management' client are not fine grained enough IMO. One role per REST method would be ideal and, I suppose, simplier to consider in the Keycloak Admin API.

The "security-admin-console" application without fine grained roles exposes too much risk in real life scenarios and so makes it unusable. One use case in mind: prevent deletion of any kind for Helpdesk employees e.g. managing users. Having dedicated roles for DELETE operation would make such task possible.

Kind regards
Valerij Timofeev


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user