[keycloak-dev] fine-grain admin permissions with Authz

Bill Burke bburke at redhat.com
Mon Mar 13 18:03:41 EDT 2017

On 3/13/17 5:54 PM, Pedro Igor Silva wrote:
> By "local-java-API" you mean use that AuthorizationProvider I 
> mentioned earlier ? That is what I meant by using the AuthZ API (the 
> Java API we use internally in authz services).
Yes, I think that's the one.

> Regarding the admin console, the only thing to keep in mind is how 
> much permissions you are going to get from the server. We also support 
> sending along a entitlement request the resource/scopes you want to 
> access. That can help to perform incremental authorization instead of 
> obtaining everything once from the server.
Yeah, I saw that.  Not sure what the best way would be.  Just think of 
the admin console main screen.  If you can only manage users of a 
specific group there's a bunch of menu items that wouldn't show up.

>     Go to the original post on this email thread to see how I
>     explained user role mappings and what things we want to offer there.
>>     From a UI perspective, are you planning to re-use the UIs we
>>     already have in that "Authorization" tab or provide a specific
>>     set of UIs for defining permissions to KC resources ?
>     My initial thought is that the Authz UI would not be re-used.  I
>     think we need something more user friendly to navigate between all
>     the resources we are going to have.  What do you think?
> It makes sense to provide separated UIs. Although we can also try to 
> re-use authz UIs and see how it looks like. Not sure if usability will 
> be so bad.

Really depends on the realm and what approach we want to take.  Do we 
want one place where all permissions are decided?  Then something like a 
tree view would be need to navigate all the clients, roles, groups and 
other managable resources a realm might have.  One of our customers has 
hundreds of roles and thousands of groups and hundreds of thousands of 
users.  Another approach is have an Authz tab on each thing we want to 
have fine grain permissions on.  I.e. the role page would have a 
"Management permissions" tab.


More information about the keycloak-dev mailing list