Hi there,
I'm Alex's coworker and I'll be working on this too.
We were just discussing your idea, and it seems to fit our requirements.
As far as we have seen, keycloak already has a realm-admin concept.
Whenever a realm "R" is created, it creates a R-realm application with
a bunch of default roles (manage-users, manage-roles, etc.) into the
realm master.
We are currently thinking if we could mimic this structure for
applications. What do you think?
I had an idea a while back that is a simple way to achieve what
you're asking for. Th> e idea would be to only allow an admin to grant roles that
the admin has access to.
Basically:> * A user with admin (super user) role can grant any
roles (we would need to add a per-> realm super user role)
* A user with the role manage-users and some roles on app1 can only
grant other users > the roles on app1
* A user with the role manage-users and some roles on app2 can only
grant other users > the roles on app2
This is something we should add in either case (to prevent users
granting
themselves more access). Would it solve your problems?