[keycloak-dev] initial fine-grain admin permissions

Marek Posolda mposolda at redhat.com
Wed Mar 22 09:37:47 EDT 2017

On 21/03/17 22:10, Bill Burke wrote:
> Here's what we want to be able to manage for fine-grain admin
> permissions for the 1st iteration.  If you think we need more, let me
> know, but I want to keep this list as small as possible.
> User management
>    * Admin can only apply certain roles to a user
>    * Admin can view users of a specific group
>    * Admin can manage users of a specific group (creds, role mappings, etc)
Maybe also:
* Admin can only apply roles/groups, which he himself has

AFAIK currently we have issues that user with "manage-users" role can 
assign any role to himself and hence gain permission to everything.

> Group Management
>    * Admin can only manage a specific group
>    * Admin can only apply certain roles to a group
>    * Admin can only manage attributes of a specific group
>    * Admin can control group membership (add/remove members)
> Client management:
>    * Admin can only manage a specific client.
>    * Admin can manage only configuration for a specific client and not
>      scope mappings or mappers.  We have this distinction so that rogues
>      can't expand the scope of the client beyond what it is allowed to.

Especially stuff like hardcoded-role protocol mapper is quite tricky 
stuff. If admin can add it to any client, he can retrieve token with 
permission to edit anything.

Maybe just some "safe" protocol mapper implementations should be 
whitelisted? Or have authorization policy integration to doublecheck 
that user is really member of particular role and not just rely on token 

>    * Service accounts can manage the configuration of the client by default?
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list