[keycloak-dev] Restrict admins to only allow granting roles they are privileged to

Stian Thorgersen stian at redhat.com
Wed Mar 25 07:52:06 EDT 2015 


----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 25 March, 2015 12:27:24 PM
> Subject: Re: [keycloak-dev] Restrict admins to only allow granting roles they are privileged to
> 
> +1 for the simple fix, however I agree that more flexibility might be
> needed.

Sure, but we have tons of work that has higher priority so we couldn't do that for a while

> 
> We may need some more fine grained authorization. For example user is
> authorized to manage application "app1" but not application "app2"
> (currently user with "manage-applications" role can manage any
> application). Similarly I may want some user to grant/revoke other users
> all application roles of particular application etc.
> 
> I wonder if we should add the concept of "permission" ? Basically
> permission would consist of action and target object (could support
> wildcards). Permissions are given to roles. For example current role
> "manage-applications" will have permissions like this:
> - create-applications
> - update-applications: *
> - remove-application: *
> 
> So member of this role can CRUD any application.
> 
> Now when users from role "myapp1/foo-role" should be able to
> grant/revoke this role to other users, the permission given to the
> foo-role will be:
> - grant-role: "myapp1", "foo-role"
> 
> When users from role "myapp1/bar-role" should be able to grant/revoke
> all roles from application "myapp1" to other users, the permission will be:
> - grant-role: "myapp1", "*"
> 
> The tricky part is to have the permission model flexible enough, but not
> be too complex at the same time;-)
> Maybe it should be driven mainly by real use-cases from community?

I don't see the difference in that to just having more roles. We could just have a manage-app role for individual applications.

> 
> Marek
> 
> On 25.3.2015 06:49, Stian Thorgersen wrote:
> > I propose we add a check when an admin wants to grant a role. For a admin
> > to be allowed to grant a role the admin either has to have the
> > admin/realm-admin role or have the role itself. This prevents admins from
> > adding more privileges to themselves than they already have and would also
> > be a way to allow admins that can only manage roles for specific
> > applications.
> >
> > This should be a simple fix. In the future I think we may need to re-design
> > how we map permissions for Keycloak. I'm really not that happy with the
> > realm apps and such, it's messy and not flexible enough.
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list