[keycloak-dev] cross-realm administration

[Bill Burke]

Continuing our hangout from yesterday...

The primary goal, IMO is to 1) clean up the master realm realm clients 
2) remove the master realm requirement for cross-realm impersonation 3) 
give possibility to remove the master realm

Right now  non-master realms trust admins in the master realm.  These 
"child" realms allow the master realm to decide which users in the 
master realm are allowed to access it.  I'll call this "cross-realm 
administration".  We could continue this model, but without role 
namespaces you'd have to create realm-clients in each trusted realm.

Another idea is to do something really simple.  Realm A decides to trust 
Realm B and they "share" admin roles.  If user in Realm B has 
"view-user" permission, then he also has "view-user" permission.  The UI 
is simple and there's no need for Realm A and B to know anything else 
about each other.  This is a simpler version of "cross-realm 
administration" which doesn't give you any fine grain per-realm control. 
  This requires very little UI work which is the big blocker for me.

Building on that idea, which is what I started to implement, is that 
Realm A "shares" admin roles still, but only allows certain permissions 
for Realm B.  Realm A grants admins in Realm B "view user and create client"

If you want to go further with the ability to grant a specific user or 
group in another realm admin privileges then it becomes more 
complicated.  You have a chicken and egg problem first as you'd need a 
way to view users and groups in another realm so you can grant 
permission to them. I guess it could be you

1. Granting trust ot a realm allows that realm to view your users and 
groups.  Well, at least query for username/email/attributes
2. UI screens would have to be created specific for managing 
users/groups in another realm as you would want to filter what 
information gets displayed


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com