[keycloak-dev] initial fine-grain admin permissions
Bill Burke
bburke at redhat.com
Wed Mar 22 12:15:58 EDT 2017
On 3/22/17 9:37 AM, Marek Posolda wrote:
> On 21/03/17 22:10, Bill Burke wrote:
>> Here's what we want to be able to manage for fine-grain admin
>> permissions for the 1st iteration. If you think we need more, let me
>> know, but I want to keep this list as small as possible.
>>
>> User management
>>
>> * Admin can only apply certain roles to a user
>> * Admin can view users of a specific group
>> * Admin can manage users of a specific group (creds, role
>> mappings, etc)
> Maybe also:
> * Admin can only apply roles/groups, which he himself has
>
> AFAIK currently we have issues that user with "manage-users" role can
> assign any role to himself and hence gain permission to everything.
>
This falls under the category of "Admin can only apply certain roles to
a user". We're talking implementation detail here, but the way I
envision it will work is each role can define policies on how it is
allowed to be assigned. For example: the "manage-realm" role can only
be assigned if the user has the "admin" role. Also, any policy will be
defined using the Authz service.
Bill
More information about the keycloak-dev
mailing list