[keycloak-dev] initial fine-grain admin permissions

Bill Burke bburke at redhat.com
Tue Mar 21 17:10:14 EDT 2017


Here's what we want to be able to manage for fine-grain admin 
permissions for the 1st iteration.  If you think we need more, let me 
know, but I want to keep this list as small as possible.

User management

  * Admin can only apply certain roles to a user
  * Admin can view users of a specific group
  * Admin can manage users of a specific group (creds, role mappings, etc)

Group Management

  * Admin can only manage a specific group
  * Admin can only apply certain roles to a group
  * Admin can only manage attributes of a specific group
  * Admin can control group membership (add/remove members)

Client management:

  * Admin can only manage a specific client.
  * Admin can manage only configuration for a specific client and not
    scope mappings or mappers.  We have this distinction so that rogues
    can't expand the scope of the client beyond what it is allowed to.
  * Service accounts can manage the configuration of the client by default?




More information about the keycloak-dev mailing list