Sorry for late response, but this one ended up in my spam for some reason.

KEYCLOAK-1735 is not a bug as by definition a bug is something that not works as designed. I agree with you that the approach is less than elegant, which is why we have an outstanding issue to enhance this.

At some point we are going to redesign the admin permissions to provide more fine grained control, which will make it possible to create admins that can manage groups of users and/or roles. However, the way it works now is that it's an all or nothing thing. End of the day though if someone with manage-users role was prevented from making them selves an admin of Keycloak, they would still have the power to make themselves an admin (or the equivalent role) in your applications and in that way obtaining full permissions to all your business logic/data. So that's a permissions you should only give to a trusted individual in the first place. With that in mind I disagree that this is really a vulnerability, but I appreciate that the permission is to course for most.

On 13 October 2015 at 20:15, David Illsley <davidillsley@gmail.com> wrote:

Hi all,
KEYCLOAK-1735 describes that users with the 'manage-users' can role can self-assign 'manage-realm', and gain substantial extra privileges.

This behaviour came as a substantial surprise to me when I discovered it, and I suspect there are users out there who have vulnerabilities due to this unexpected behaviour.

KEYCLOAK-1735 is currently marked as an enhancement, and while I can see that it might be substantial work to change this behaviour, I think it should be a priority to make the behaviour clear to users - probably through documentation, and possibly through renaming the role so that its expansive powers are clear.

Is this a possibility? What's the best way to get this to happen?
Thanks,
David

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user