[keycloak-user] Realm Level Admin
Bill Burke
bburke at redhat.com
Thu Feb 13 08:55:30 EST 2014
The way it works now is that the "Super Realm" has an "admin-console"
application. This "admin-console" has an "admin" role. Users in the
"Super Realm" are given this role. Keycloak can secure itself this way
and be self bootstrapped as you see when you run the tutorials. What's
even more interesting about this approach is that you can do OAuth
grants too. You can temporarily grant a third-party app permission to
do things to any realm you want.
We should probably do something similar for each individual realm.
On 2/13/2014 5:37 AM, Travis De Silva wrote:
> Wow. didn't think of the other use cases that you listed. Yes it's
> definitely something that happens in the real world and would be great
> if KeyCloak has these features. No complains from me if we can do what I
> suggested as a starting point for obvious selfish reasons :)
>
> I have raised a Jira case for this.
> https://issues.jboss.org/browse/KEYCLOAK-292
>
> Keycloak early champion community members, please vote for this feature.
>
> BTW, thanks Stian, Bill and the Keycloak team for your fantastic work.
> Keycloak is so simple to use and implement and that is amazing when you
> think the complex problems it is solving. Wishing keycloak all the best.
>
>
> On Wed, Feb 12, 2014 at 9:11 PM, Stian Thorgersen <stian at redhat.com
> <mailto:stian at redhat.com>> wrote:
>
> This is not possible at the moment. It's something that I'd imagine
> would be needed, and at a more fine-grained control. I can imagine
> scenarios such as:
>
> * Devs that are allowed to create/edit apps, but not manage users
> * Devs that can create clients, but not applications
> * Managers that are allowed to view user details, but not reset
> passwords, etc.
> * Admins that can do everything for a single realm, or for all realms
>
> We don't have anything planned at the moment though, and what you're
> proposing could be a sensible starting point. Please create a JIRA ;)
>
> ----- Original Message -----
> > From: "Travis De Silva" <traviskds at gmail.com
> <mailto:traviskds at gmail.com>>
> > To: keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> > Sent: Wednesday, 12 February, 2014 6:48:09 AM
> > Subject: [keycloak-user] Realm Level Admin
> >
> > I have not been able to figure out if we can have Realm level
> admins. My use
> > case is:
> >
> > We have keycloak application wide super admins. They can create
> new realms,
> > go into any realm and create users, applications etc. Just how
> the default
> > admin user operates now.
> >
> > Then within a Realm, for example lets say Demo realm, can we have
> a different
> > admin user (e.g demo realm admin) who can perform all the tasks
> but only
> > within that Realm. That user will not be able to view the other
> realms (i.e
> > it should not display the realm selection drop down and also
> should not be
> > able to create new realms.
> >
> > Thoughts? I am happy to raise a feature request in Jira if this
> is currently
> > not possible and doable in a future release as I believe this
> feature will
> > increase user adoption, especially for applications that are
> built with
> > multi-tenancy functionality.
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list