Supporting something like that would require a revamp of how we manage permissions for
Keycloak admin console and endpoints.
If we can come up with a good way to do it properly I don't see any reason not to
support this level of permissions. However, I wouldn't want to just duct tape it onto
what we already have.
Currently we create "fictitious" applications to manage permissions for realms.
I don't really like this approach and it would not work for applications (as you'd
have two applications per-application).
----- Original Message -----
From: "Raghu Prabhala" <prabhalar(a)yahoo.com>
To: "Keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Tuesday, April 14, 2015 4:23:58 AM
Subject: [keycloak-user] Roles/permissions specific to Client application.
Hi Dev team,
The current KC model has very coarse grained roles that do not work for us,
specifically in regards to the application management. Let me explain our
use case.
We allow only a set of users to register/update client applications subject
to the below conditions ( a simplification of our actual use case):
1) Every client application has a set of owners and only the owners of the
application can register/update an application in KC in addition to the
point 2) below.
2) Every application is part of a family that has a set of owners who can
register/update any application within that family.
When a user logs into KC, I can query our external repository to see if the
user is in say "App1 owner" role or "App1 Family Owner" role and if
so,
allow him to register the application (App1) in KC. I should also be able to
link that "App1 owner" role to the newly registered application in KC so
that when if another user belonging to "App1 owner" or "App1 Family
Owner"
role comes in, I should allow him to update App1 and not any other
application, subject to conditions 1 and 2.
How can we achieve the above functionality in KC? Appreciate some pointers
and if there is something that can be done in KC then let me know and I will
put in an enhancement request.
Thanks in advance,
Raghu
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user