[keycloak-dev] initial fine-grain admin permissions
mposolda at redhat.com
Wed Mar 22 09:37:47 EDT 2017
On 21/03/17 22:10, Bill Burke wrote:
> Here's what we want to be able to manage for fine-grain admin
> permissions for the 1st iteration. If you think we need more, let me
> know, but I want to keep this list as small as possible.
> User management
> * Admin can only apply certain roles to a user
> * Admin can view users of a specific group
> * Admin can manage users of a specific group (creds, role mappings, etc)
* Admin can only apply roles/groups, which he himself has
AFAIK currently we have issues that user with "manage-users" role can
assign any role to himself and hence gain permission to everything.
> Group Management
> * Admin can only manage a specific group
> * Admin can only apply certain roles to a group
> * Admin can only manage attributes of a specific group
> * Admin can control group membership (add/remove members)
> Client management:
> * Admin can only manage a specific client.
> * Admin can manage only configuration for a specific client and not
> scope mappings or mappers. We have this distinction so that rogues
> can't expand the scope of the client beyond what it is allowed to.
Especially stuff like hardcoded-role protocol mapper is quite tricky
stuff. If admin can add it to any client, he can retrieve token with
permission to edit anything.
Maybe just some "safe" protocol mapper implementations should be
whitelisted? Or have authorization policy integration to doublecheck
that user is really member of particular role and not just rely on token
> * Service accounts can manage the configuration of the client by default?
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
More information about the keycloak-dev