[keycloak-dev] initial fine-grain admin permissions

[Stian Thorgersen]

Is that really needed? Managing identity providers is managing realm
configuration. It's also very complicated due to fact that it's importing
users into the realm and the permissions those users receive can also be
configured through mappers.

On 23 March 2017 at 01:52, Dumitru Sbenghe <dsbenghe at gmail.com> wrote:

> What about
>
> Identity providers
> * Admin can only manage a specific identity provider?
>
> On Wed, Mar 22, 2017 at 8:10 AM, Bill Burke <bburke at redhat.com> wrote:
>
> > Here's what we want to be able to manage for fine-grain admin
> > permissions for the 1st iteration.  If you think we need more, let me
> > know, but I want to keep this list as small as possible.
> >
> > User management
> >
> >   * Admin can only apply certain roles to a user
> >   * Admin can view users of a specific group
> >   * Admin can manage users of a specific group (creds, role mappings,
> etc)
> >
> > Group Management
> >
> >   * Admin can only manage a specific group
> >   * Admin can only apply certain roles to a group
> >   * Admin can only manage attributes of a specific group
> >   * Admin can control group membership (add/remove members)
> >
> > Client management:
> >
> >   * Admin can only manage a specific client.
> >   * Admin can manage only configuration for a specific client and not
> >     scope mappings or mappers.  We have this distinction so that rogues
> >     can't expand the scope of the client beyond what it is allowed to.
> >   * Service accounts can manage the configuration of the client by
> default?
> >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>