[keycloak-dev] initial fine-grain admin permissions
bburke at redhat.com
Tue Mar 21 17:10:14 EDT 2017
Here's what we want to be able to manage for fine-grain admin
permissions for the 1st iteration. If you think we need more, let me
know, but I want to keep this list as small as possible.
* Admin can only apply certain roles to a user
* Admin can view users of a specific group
* Admin can manage users of a specific group (creds, role mappings, etc)
* Admin can only manage a specific group
* Admin can only apply certain roles to a group
* Admin can only manage attributes of a specific group
* Admin can control group membership (add/remove members)
* Admin can only manage a specific client.
* Admin can manage only configuration for a specific client and not
scope mappings or mappers. We have this distinction so that rogues
can't expand the scope of the client beyond what it is allowed to.
* Service accounts can manage the configuration of the client by default?
More information about the keycloak-dev