[keycloak-dev] controlling which roles an admin can grant

Bill Burke bburke at redhat.com
Thu Nov 5 12:31:07 EST 2015


One of things that we need to be able to do if we have the idea of a 
"Group Admin" is to control specifically which role mappings an admin is 
allowed to grant.  One of the places this comes up currently is that if 
an admin has the "manage-users" role, they can pretty much add any 
permission they want to themselves and get access to the whole realm.

IMO, this is something we need now.  It needs to be built into our admin UI.

So, how could we add the ability to control which roles an admin is 
allowed to grant? Under the "Roles" menu option there would be a "Grant 
Permissions" tab.  Here, the admin can select a role and specify a list 
of roles that can be granted if a user has that role.

Here's an example:

Let's say there are 2 sales applications "reporting" and "analytics". 
Each of the apps has defined an "admin" and "user" role. We want to have 
a developer manage user access to these systems.

1. Define "Sales Access Control Manager" role.
2. Go into "Roles" menu
3. Go to the "Role Granting Permissions" tab.
4. Select the "Sales Access Control Manager" role
5. Select and add the "reporting.user", "reporting.admin", 
"analytics.user", and "analytics.admin" roles to the list of roles a 
"Sales Access Control Manager" is allowed to grant.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list