[keycloak-dev] Restrict admins to only allow granting roles they are privileged to
Marek Posolda
mposolda at redhat.com
Wed Mar 25 07:27:24 EDT 2015
+1 for the simple fix, however I agree that more flexibility might be
needed.
We may need some more fine grained authorization. For example user is
authorized to manage application "app1" but not application "app2"
(currently user with "manage-applications" role can manage any
application). Similarly I may want some user to grant/revoke other users
all application roles of particular application etc.
I wonder if we should add the concept of "permission" ? Basically
permission would consist of action and target object (could support
wildcards). Permissions are given to roles. For example current role
"manage-applications" will have permissions like this:
- create-applications
- update-applications: *
- remove-application: *
So member of this role can CRUD any application.
Now when users from role "myapp1/foo-role" should be able to
grant/revoke this role to other users, the permission given to the
foo-role will be:
- grant-role: "myapp1", "foo-role"
When users from role "myapp1/bar-role" should be able to grant/revoke
all roles from application "myapp1" to other users, the permission will be:
- grant-role: "myapp1", "*"
The tricky part is to have the permission model flexible enough, but not
be too complex at the same time;-)
Maybe it should be driven mainly by real use-cases from community?
Marek
On 25.3.2015 06:49, Stian Thorgersen wrote:
> I propose we add a check when an admin wants to grant a role. For a admin to be allowed to grant a role the admin either has to have the admin/realm-admin role or have the role itself. This prevents admins from adding more privileges to themselves than they already have and would also be a way to allow admins that can only manage roles for specific applications.
>
> This should be a simple fix. In the future I think we may need to re-design how we map permissions for Keycloak. I'm really not that happy with the realm apps and such, it's messy and not flexible enough.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list