I had an idea a while back that is a simple way to achieve what you're asking for. The
idea would be to only allow an admin to grant roles that the admin has access to.
Basically:
* A user with admin (super user) role can grant any roles (we would need to add a
per-realm super user role)
* A user with the role manage-users and some roles on app1 can only grant other users the
roles on app1
* A user with the role manage-users and some roles on app2 can only grant other users the
roles on app2
This is something we should add in either case (to prevent users granting themselves more
access). Would it solve your problems?
----- Original Message -----
From: "Alex Gouvêa Vasconcelos" <alexgv99(a)gmail.com>
To: keycloak-user(a)lists.jboss.org
Sent: Monday, 23 March, 2015 3:55:07 PM
Subject: [keycloak-user] Application Management
Hi all...
We started using keycloack a few weeks ago, trying a SSO solution for our
company. We used to use a proprietary system for
authentication/authorization and our users have a console admin which allow
them to manage users and roles per application.
We tried doing that in keycloack but the only way we found to do something
similar to that, was giving realm-management rights to the application
admin. This was not what we were trying to do, because those rights allow
the admin of app1 give permission to users of app2.
We found another user of this forum with a similar question in february
archives... [1] but the answer did not specify if this is in future plans.
If not, is there any help we could count on to implement ourselves?
[1]
http://lists.jboss.org/pipermail/keycloak-user/2015-February/001540.html
Best regards.
Alex Gouvêa Vasconcelos
mailto: alexgv99(a)gmail.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user