[keycloak-dev] controlling which roles an admin can grant
Bill Burke
bburke at redhat.com
Thu Nov 5 12:31:07 EST 2015
One of things that we need to be able to do if we have the idea of a
"Group Admin" is to control specifically which role mappings an admin is
allowed to grant. One of the places this comes up currently is that if
an admin has the "manage-users" role, they can pretty much add any
permission they want to themselves and get access to the whole realm.
IMO, this is something we need now. It needs to be built into our admin UI.
So, how could we add the ability to control which roles an admin is
allowed to grant? Under the "Roles" menu option there would be a "Grant
Permissions" tab. Here, the admin can select a role and specify a list
of roles that can be granted if a user has that role.
Here's an example:
Let's say there are 2 sales applications "reporting" and "analytics".
Each of the apps has defined an "admin" and "user" role. We want to have
a developer manage user access to these systems.
1. Define "Sales Access Control Manager" role.
2. Go into "Roles" menu
3. Go to the "Role Granting Permissions" tab.
4. Select the "Sales Access Control Manager" role
5. Select and add the "reporting.user", "reporting.admin",
"analytics.user", and "analytics.admin" roles to the list of roles a
"Sales Access Control Manager" is allowed to grant.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list