[keycloak-dev] controlling which roles an admin can grant
Stian Thorgersen
sthorger at redhat.com
Thu Nov 5 13:58:26 EST 2015
Sounds complex and confusing to me. Also how do you specify how's allowed
to manage the role granting permissions?
A simpler approach would be to simply require an admin to have a role to be
able to grant it to another user. When an admin creates a role they would
be given that role as well. You an also composite roles to then achieve the
same as you're mentioning above.
On 5 November 2015 at 18:31, Bill Burke <bburke at redhat.com> wrote:
> One of things that we need to be able to do if we have the idea of a
> "Group Admin" is to control specifically which role mappings an admin is
> allowed to grant. One of the places this comes up currently is that if
> an admin has the "manage-users" role, they can pretty much add any
> permission they want to themselves and get access to the whole realm.
>
> IMO, this is something we need now. It needs to be built into our admin
> UI.
>
> So, how could we add the ability to control which roles an admin is
> allowed to grant? Under the "Roles" menu option there would be a "Grant
> Permissions" tab. Here, the admin can select a role and specify a list
> of roles that can be granted if a user has that role.
>
> Here's an example:
>
> Let's say there are 2 sales applications "reporting" and "analytics".
> Each of the apps has defined an "admin" and "user" role. We want to have
> a developer manage user access to these systems.
>
> 1. Define "Sales Access Control Manager" role.
> 2. Go into "Roles" menu
> 3. Go to the "Role Granting Permissions" tab.
> 4. Select the "Sales Access Control Manager" role
> 5. Select and add the "reporting.user", "reporting.admin",
> "analytics.user", and "analytics.admin" roles to the list of roles a
> "Sales Access Control Manager" is allowed to grant.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151105/b2213059/attachment.html
More information about the keycloak-dev
mailing list