9:55 a.m.
Hi all...
We started using keycloack a few weeks ago, trying a SSO solution for our
company. We used to use a proprietary system for
authentication/authorization and our users have a console admin which allow
them to manage users and roles per application.
We tried doing that in keycloack but the only way we found to do something
similar to that, was giving realm-management rights to the application
admin. This was not what we were trying to do, because those rights allow
the admin of app1 give permission to users of app2.
We found another user of this forum with a similar question in february
archives... [1] but the answer did not specify if this is in future plans.
If not, is there any help we could count on to implement ourselves?
[1] http://lists.jboss.org/pipermail/keycloak-user/2015-February/001540.html
Best regards.
Alex Gouvêa Vasconcelos
mailto:alexgv99@gmail.com
10:06 a.m.
So, you have an "application admin", and you want this admin to only be
able to add permissions for that app for a specific user? You'll have
to submit a JIRA for that. Our queue is very large right now, so I
can't promise much.
On 3/23/2015 10:55 AM, Alex Gouvêa Vasconcelos wrote:
Hi all...
We started using keycloack a few weeks ago, trying a SSO solution for
our company. We used to use a proprietary system for
authentication/authorization and our users have a console admin which
allow them to manage users and roles per application.
We tried doing that in keycloack but the only way we found to do
something similar to that, was giving realm-management rights to the
application admin. This was not what we were trying to do, because those
rights allow the admin of app1 give permission to users of app2.
We found another user of this forum with a similar question in february
archives... [1] but the answer did not specify if this is in future
plans. If not, is there any help we could count on to implement ourselves?
[1] http://lists.jboss.org/pipermail/keycloak-user/2015-February/001540.html
Best regards.
Alex Gouvêa Vasconcelos
mailto:alexgv99@gmail.com <mailto:alexgv99@gmail.com>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3:31 p.m.
We found a Jira about the same issue we talked about [1]. We are available
to help implementing that feature, but we barely know about the keycloak
implementation.
Our current idea is to create the app-admin role when the application is
created in the realm. We would display a widget in the Application > <app
name> > Roles > <role name> screen to allow the app-admin to assign the
given role to users.
As for the schema, we're not sure how to store the "app-admin" information.
We provisionally thought about a boolean field stating whether the role is
the admin role of the app associated, but input here would be very welcome.
In short, if someone could provide some guidance on this sort of issues,
we're more than happy to provide some code.
[1] https://issues.jboss.org/browse/KEYCLOAK-1032
<https://www.google.com/url?q=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKE...
Cordialmente.
Alex Gouvêa Vasconcelos
mailto:alexgv99@gmail.com
MSN: alexgv99(a)hotmail.com
http://about.me/alexgv99
2015-03-23 12:06 GMT-03:00 Bill Burke <bburke(a)redhat.com>:
So, you have an "application admin", and you want this
admin to only be
able to add permissions for that app for a specific user? You'll have
to submit a JIRA for that. Our queue is very large right now, so I
can't promise much.
On 3/23/2015 10:55 AM, Alex Gouvêa Vasconcelos wrote:
> Hi all...
>
> We started using keycloack a few weeks ago, trying a SSO solution for
> our company. We used to use a proprietary system for
> authentication/authorization and our users have a console admin which
> allow them to manage users and roles per application.
> We tried doing that in keycloack but the only way we found to do
> something similar to that, was giving realm-management rights to the
> application admin. This was not what we were trying to do, because those
> rights allow the admin of app1 give permission to users of app2.
>
> We found another user of this forum with a similar question in february
> archives... [1] but the answer did not specify if this is in future
> plans. If not, is there any help we could count on to implement
ourselves?
>
> [1]
http://lists.jboss.org/pipermail/keycloak-user/2015-February/001540.html
>
> Best regards.
> Alex Gouvêa Vasconcelos
> mailto:alexgv99@gmail.com <mailto:alexgv99@gmail.com>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:50 p.m.
+1. Glad that you are willing to pitch in. May I request that an API be provided to add
users to this role dynamically?
Regards,Raghu
From: Alex Gouvêa Vasconcelos <alexgv99(a)gmail.com>
To: Bill Burke <bburke(a)redhat.com>
Cc: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>;
Thiago Addevico Presa <thiago.addevico(a)gmail.com>
Sent: Monday, March 23, 2015 4:31 PM
Subject: Re: [keycloak-user] Application Management
We found a Jira about the same issue we talked about [1]. We are available to help
implementing that feature, but we barely know about the keycloak implementation.
Our current idea is to create the app-admin role when the application is created in the
realm. We would display a widget in the Application > <app name> > Roles >
<role name> screen to allow the app-admin to assign the given role to users.
As for the schema, we're not sure how to store the "app-admin" information.
We provisionally thought about a boolean field stating whether the role is the admin role
of the app associated, but input here would be very welcome.
In short, if someone could provide some guidance on this sort of issues, we're more
than happy to provide some code.
[1] https://issues.jboss.org/browse/KEYCLOAK-1032
Cordialmente.Alex Gouvêa Vasconcelosmailto:alexgv99@gmail.com
MSN: alexgv99(a)hotmail.com
http://about.me/alexgv99
2015-03-23 12:06 GMT-03:00 Bill Burke <bburke(a)redhat.com>:
So, you have an "application admin", and you want this admin to only be
able to add permissions for that app for a specific user? You'll have
to submit a JIRA for that. Our queue is very large right now, so I
can't promise much.
On 3/23/2015 10:55 AM, Alex Gouvêa Vasconcelos wrote:
Hi all...
We started using keycloack a few weeks ago, trying a SSO solution for
our company. We used to use a proprietary system for
authentication/authorization and our users have a console admin which
allow them to manage users and roles per application.
We tried doing that in keycloack but the only way we found to do
something similar to that, was giving realm-management rights to the
application admin. This was not what we were trying to do, because those
rights allow the admin of app1 give permission to users of app2.
We found another user of this forum with a similar question in february
archives... [1] but the answer did not specify if this is in future
plans. If not, is there any help we could count on to implement ourselves?
[1] http://lists.jboss.org/pipermail/keycloak-user/2015-February/001540.html
Best regards.
Alex Gouvêa Vasconcelos
mailto:alexgv99@gmail.com <mailto:alexgv99@gmail.com>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:55 a.m.
I had an idea a while back that is a simple way to achieve what you're asking for. The
idea would be to only allow an admin to grant roles that the admin has access to.
Basically:
* A user with admin (super user) role can grant any roles (we would need to add a
per-realm super user role)
* A user with the role manage-users and some roles on app1 can only grant other users the
roles on app1
* A user with the role manage-users and some roles on app2 can only grant other users the
roles on app2
This is something we should add in either case (to prevent users granting themselves more
access). Would it solve your problems?
----- Original Message -----
From: "Alex Gouvêa Vasconcelos" <alexgv99(a)gmail.com>
To: keycloak-user(a)lists.jboss.org
Sent: Monday, 23 March, 2015 3:55:07 PM
Subject: [keycloak-user] Application Management
Hi all...
We started using keycloack a few weeks ago, trying a SSO solution for our
company. We used to use a proprietary system for
authentication/authorization and our users have a console admin which allow
them to manage users and roles per application.
We tried doing that in keycloack but the only way we found to do something
similar to that, was giving realm-management rights to the application
admin. This was not what we were trying to do, because those rights allow
the admin of app1 give permission to users of app2.
We found another user of this forum with a similar question in february
archives... [1] but the answer did not specify if this is in future plans.
If not, is there any help we could count on to implement ourselves?
[1] http://lists.jboss.org/pipermail/keycloak-user/2015-February/001540.html
Best regards.
Alex Gouvêa Vasconcelos
mailto: alexgv99(a)gmail.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3578
days inactive
3579
days old
4 comments
4 participants
participants (4)
-
Alex Gouvêa Vasconcelos -
Bill Burke -
Raghu Prabhala -
Stian Thorgersen