[keycloak-dev] user group admins
Bill Burke
bburke at redhat.com
Thu Nov 5 12:31:00 EST 2015
A few users have been asking about the ability to limit the admin to
managing a set of users in a group.
I know Pedro is doing permission work, but IMO, this type of thing needs
to be integrated and natural to the Keycloak UI as it would be a
fundamental feature.
Here's a proposal though based on my layout of User Groups in a previous
email.
Group Admins need to be able to:
* Manage group membership
* Manage users within a group to do things like reset credentials and
other user management actions.
* Grant roles to users within a group
* Add attributes to the group
* Grant roles to the group
So, if each User Group had its own Role Namespace, we could define one
or more roles that grant each of those permissions. i.e.
"group-membership-admin", "group-user-admin", "group-admin". If a User
Gruop has its own Role Namespace, it becomes really easy to compose
adminstrative access. So you could define individual "admin groups" and
grant users in those groups permission to manage one more groups.
If groups don't have their own Role Namespace, you need a way to
associate a role to each group admin permission.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list