On 4.8.2015 18:00, Vito Vessia wrote:

Hi all,
I'm trying to use KC for a suite of multitenant webapps. Each tenant/customer has a separated realm and I use a custom Federation Provider to map users and roles to my company's legacy custom ACL database. Customers also want to manage/create users by their own, but I don't want they manage other realm stuff like Federation Provider parameters, client apps, etc, so I have to provide to some users of each realm the only roles of "manage-user"/"view-users" from the app realm-management, so they can only view the Manage User option in the realm Console.

The problem is that through the console they may promote themselves assigning to existing users or to new users the role of "manage-realm" and after a simple refresh they can manage the entire realm.

Is there a way to avoid this or am I wrong to do this?

Looks like not. Feel free to create JIRA for this.

One more question connected to this one: is there a way to localize also the realm console? If my customers have to manage their own users, they would read labels and messages in their own languages.

Thank you very much for your time and for your great and versatile product.

AFAIK Stan is looking at admin console localization. Maybe it will be in 1.5 release.

Marek

Best regards

--Vito

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user