The way it works now is that the "Super Realm" has an "admin-console"
application. This "admin-console" has an "admin" role. Users in the
"Super Realm" are given this role. Keycloak can secure itself this way
and be self bootstrapped as you see when you run the tutorials. What's
even more interesting about this approach is that you can do OAuth
grants too. You can temporarily grant a third-party app permission to
do things to any realm you want.
We should probably do something similar for each individual realm.
On 2/13/2014 5:37 AM, Travis De Silva wrote:
Wow. didn't think of the other use cases that you listed. Yes
definitely something that happens in the real world and would be great
if KeyCloak has these features. No complains from me if we can do what I
suggested as a starting point for obvious selfish reasons :)
I have raised a Jira case for this.
Keycloak early champion community members, please vote for this feature.
BTW, thanks Stian, Bill and the Keycloak team for your fantastic work.
Keycloak is so simple to use and implement and that is amazing when you
think the complex problems it is solving. Wishing keycloak all the best.
On Wed, Feb 12, 2014 at 9:11 PM, Stian Thorgersen <stian(a)redhat.com
This is not possible at the moment. It's something that I'd imagine
would be needed, and at a more fine-grained control. I can imagine
scenarios such as:
* Devs that are allowed to create/edit apps, but not manage users
* Devs that can create clients, but not applications
* Managers that are allowed to view user details, but not reset
* Admins that can do everything for a single realm, or for all realms
We don't have anything planned at the moment though, and what you're
proposing could be a sensible starting point. Please create a JIRA ;)
----- Original Message -----
> From: "Travis De Silva" <traviskds(a)gmail.com
> To: keycloak-user(a)lists.jboss.org
> Sent: Wednesday, 12 February, 2014 6:48:09 AM
> Subject: [keycloak-user] Realm Level Admin
> I have not been able to figure out if we can have Realm level
admins. My use
> case is:
> We have keycloak application wide super admins. They can create
> go into any realm and create users, applications etc. Just how
> admin user operates now.
> Then within a Realm, for example lets say Demo realm, can we have
> admin user (e.g demo realm admin) who can perform all the tasks
> within that Realm. That user will not be able to view the other
> it should not display the realm selection drop down and also
should not be
> able to create new realms.
> Thoughts? I am happy to raise a feature request in Jira if this
> not possible and doable in a future release as I believe this
> increase user adoption, especially for applications that are
> multi-tenancy functionality.
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:email@example.com>
keycloak-user mailing list