[keycloak-dev] Hide internal clients and roles

Stan Silvert ssilvert at redhat.com
Wed Jun 10 10:34:21 EDT 2015 

On 6/10/2015 10:15 AM, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Wednesday, 10 June, 2015 4:08:16 PM
>> Subject: Re: [keycloak-dev] Hide internal clients and roles
>>
>> I think security-admin-console and realm-management should be merged in
>> non-Master realms.  In master realm, rename everything to
>> <realm>-security-admin-console.  Finally, an internal role or client
>> would not be able to be deleted.
>>
>> I don't think you should hide any roles ever.  I don't see why you would
>> want to.  I do think you should make internal clients and roles unremovable.
> Hiding the internal realm roles would enable a "blank slate" page on the realm roles list. Alternatively, and I actually think this is a better idea, is to make the admin and create-realm roles roles of the master-security-admin-console realm rather than realm roles. In that case all we need is "internal" clients and an option to view/hide them on the clients list.
>
> Which one is it btw "an internal role or client would not be able to be deleted" or "I do think you should make internal clients and roles unremovable"?
I'm not sure I understand what you are saying here.  I think I agree 
with Bill on this one.

First principle is that you should never be able to do something from 
the UI that cripples the operation of the system.  But what applies to 
the UI also applies to the API.  Operations like deleting the admin user 
or deleting the admin role should be forbidden at both the UI and the 
API level.

I don't understand how hiding things helps the user.  Instead, keep them 
visible and thus encourage the user to learn about them.
>
>>
>>
>> On 6/10/2015 9:46 AM, Marek Posolda wrote:
>>> I am like 50/50 . I can imagine this has some advantages as people won't
>>> be easily able to delete system clients/roles and break their keycloak
>>> server.
>>>
>>> On the other hand, when I am admin, I might be confused why some roles
>>> are not in the roles list, but are in default roles list etc? Also if
>>> someone really knows what he is doing, this might be unwanted
>>> restriction - for example people may want to add more composite roles
>>> into "admin" role or they want to disable account client as Vlasta
>>> pointed etc.
>>>
>>> Marek
>>>
>>> On 10.6.2015 09:19, Stian Thorgersen wrote:
>>>> I propose we add an attribute 'kc_internal' to internal clients
>>>> (security-admin-console, master-realm, account, broker) and hide these
>>>> from the clients table.
>>>>
>>>> We should also do this to internal roles 'admin' and 'create-realm' so
>>>> these roles are not displayed in realm roles list. They would only be
>>>> hidden from this page, but still be visible in user role mapping, scope
>>>> mappings and default roles.
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list