[keycloak-dev] Restrict admins to only allow granting roles they are privileged to

Stian Thorgersen stian at redhat.com
Wed Mar 25 01:49:46 EDT 2015


I propose we add a check when an admin wants to grant a role. For a admin to be allowed to grant a role the admin either has to have the admin/realm-admin role or have the role itself. This prevents admins from adding more privileges to themselves than they already have and would also be a way to allow admins that can only manage roles for specific applications.

This should be a simple fix. In the future I think we may need to re-design how we map permissions for Keycloak. I'm really not that happy with the realm apps and such, it's messy and not flexible enough.


More information about the keycloak-dev mailing list