[keycloak-dev] initial fine-grain admin permissions
dsbenghe at gmail.com
Wed Mar 22 20:52:34 EDT 2017
* Admin can only manage a specific identity provider?
On Wed, Mar 22, 2017 at 8:10 AM, Bill Burke <bburke at redhat.com> wrote:
> Here's what we want to be able to manage for fine-grain admin
> permissions for the 1st iteration. If you think we need more, let me
> know, but I want to keep this list as small as possible.
> User management
> * Admin can only apply certain roles to a user
> * Admin can view users of a specific group
> * Admin can manage users of a specific group (creds, role mappings, etc)
> Group Management
> * Admin can only manage a specific group
> * Admin can only apply certain roles to a group
> * Admin can only manage attributes of a specific group
> * Admin can control group membership (add/remove members)
> Client management:
> * Admin can only manage a specific client.
> * Admin can manage only configuration for a specific client and not
> scope mappings or mappers. We have this distinction so that rogues
> can't expand the scope of the client beyond what it is allowed to.
> * Service accounts can manage the configuration of the client by default?
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
More information about the keycloak-dev