[keycloak-dev] Authz for admin console/endpoints (KEYCLOAK-292)

Stian Thorgersen stian at redhat.com
Thu Feb 20 10:05:15 EST 2014

Currently a user in the 'keycloak-admin' realm with the role 'admin' has full access to all realms. We need to support a bit more fine-grained access control for admin console/endpoints. At the bare minimum we need to be able to have users that can administer only some realms. Further, it would be nice to build this on-top of roles alone and not require an ACL table or something similar.

We could start with the following permissions/roles for a realm:

* view-realm-config
* manage-realm-config
* view-users
* manage-users
* view-applications
* manage-applications
* view-clients
* manage-clients
* admin (composite role containing all the above roles)

One approach to this would be to create an application per-realm that represents that realm (application name could be 'realm-<realm name>'). This would be created automatically when we create a new realm, and it would have the above roles as application roles. Users can then be granted access to individual realms by mapping the roles for the associated application to them.

We could also have a composite realm role 'admin' that maps to the 'admin' role in all realm applications. Any user that is granted this role would have full access to all realms.

This made me think about the concept of "resources" in Keycloak. A resource is similar to an application except it doesn't have scope mappings, nor does it have credentials. This could be used in the demo for the 'database-service', which would mean we'd have roles associated with the 'database-service' rather than using realm roles. It would also provide an installation file (and wildfly config) where 'bearer-only' is set to 'true'.

More information about the keycloak-dev mailing list