[keycloak-dev] initial fine-grain admin permissions

Bill Burke bburke at redhat.com
Wed Mar 22 12:15:58 EDT 2017

On 3/22/17 9:37 AM, Marek Posolda wrote:
> On 21/03/17 22:10, Bill Burke wrote:
>> Here's what we want to be able to manage for fine-grain admin
>> permissions for the 1st iteration.  If you think we need more, let me
>> know, but I want to keep this list as small as possible.
>> User management
>>    * Admin can only apply certain roles to a user
>>    * Admin can view users of a specific group
>>    * Admin can manage users of a specific group (creds, role 
>> mappings, etc)
> Maybe also:
> * Admin can only apply roles/groups, which he himself has
> AFAIK currently we have issues that user with "manage-users" role can 
> assign any role to himself and hence gain permission to everything.

This falls under the category of "Admin can only apply certain roles to 
a user".  We're talking implementation detail here, but the way I 
envision it will work is each role can define policies on how it is 
allowed to be assigned.  For example: the "manage-realm" role can only 
be assigned if the user has the "admin" role.  Also, any policy will be 
defined using the Authz service.


More information about the keycloak-dev mailing list