[keycloak-dev] Realm admin permissions added
Stian Thorgersen
stian at redhat.com
Thu Feb 27 06:12:30 EST 2014
Added one more role create-realm. This is handy as it allows adding users that can create new realms without giving them permissions to everything. When a realm is created and the user is not an admin the user will be given all roles for that realm. As a side-effect this also let's you have a SaaS type solution where self-registered users can create and manage their own realms, but not access other realms.
Now it's only a bit more testing + documentation left for this
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 26 February, 2014 7:11:54 PM
> Subject: Re: [keycloak-dev] Realm admin permissions added
>
> Very nice.
>
> On 2/26/2014 12:41 PM, Stian Thorgersen wrote:
> > Added view roles as well. Admin console has been updated to make forms
> > read-only if user only has view role (there's a few widgets it doesn't
> > work for, but should be fixed soon).
> >
> > The new roles are:
> >
> > * view-realm
> > * view-users
> > * view-applications
> > * view-clients
> >
> > ----- Original Message -----
> >> From: "Stian Thorgersen" <stian at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Tuesday, 25 February, 2014 12:59:39 PM
> >> Subject: [keycloak-dev] Realm admin permissions added
> >>
> >> Realm admin permissions added has been added to master.
> >>
> >> A quick overview on how it works:
> >>
> >> When a realm is created an application is created in the keycloak-admin
> >> realm. The application name is '<realm name>-realm'. This application
> >> represents the roles associated with the realm, and let's you add role
> >> mappings to users as well as scope mappings to apps/clients. A realm app
> >> has
> >> the following roles:
> >>
> >> * manage-realm
> >> * manage-users
> >> * manage-applications
> >> * manage-clients
> >>
> >> These roles are all read/write. In the future I imagine we can add some
> >> view
> >> only roles (view-realm, view-users, view-applications, view-clients). I
> >> didn't add it this time around as it would require a fair amount of
> >> changes
> >> to admin console (everything is forms with buttons at the moment, so would
> >> have to add read only views).
> >>
> >> When listing realms the admin console will only return the realms where
> >> the
> >> user has one or more of the above roles. The admin console will also
> >> change
> >> the menu depending on what roles the user has (for example a user that
> >> only
> >> has 'manage-clients' and 'manage-users' will not see 'settings' and
> >> 'applications').
> >>
> >> There's a realm role called 'admin' as well. This is a composite role and
> >> when creating a new realm all roles for the new realm are added to it.
> >> Only
> >> users with this role is allowed to create, import or delete realms.
> >>
> >> To create a new realm, with a user that has only 'manage-users' and
> >> 'manage-clients' access to this new realm, do the following:
> >>
> >> 1. Create a new realm called 'test'
> >> 2. Navigate to users for 'keycloak-admin' realm
> >> (http://localhost:8081/auth/admin/index.html#/realms/keycloak-admin/users)
> >> 3. Create new user called 'test' (enable + reset creds)
> >> 4. Click on 'Role mappings'
> >> 5. In 'Applications' drop-down select 'test-realm'
> >> 6. Select 'manage-users' and 'manage-clients' and click the right-arrow to
> >> add mapping
> >> 7. Log out of admin console, and login as 'test'
> >>
> >> The pages in the admin console themselves haven't been disabled, only the
> >> menu to navigate there. You can try opening for example:
> >>
> >> http://localhost:8081/auth/admin/index.html#/realms/test/social-settings
> >> http://localhost:8081/auth/admin/index.html#/realms/test/applications
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list