[keycloak-user] Roles/permissions specific to Client application.

[Raghu Prabhala]

 Hi Dev team,
The current KC model has very coarse grained roles that do not work for us, specifically in regards to the application management. Let me explain our use case.
We allow only a set of users to register/update client applications subject to the below conditions ( a simplification of our actual use case):
1) Every client application has a set of owners and only the owners of the application can register/update an application in KC in addition to the point 2) below.2) Every application is part of a family that has a set of owners who can register/update any application within that family.
When a user logs into KC, I can query our external repository to see if the user is in say "App1 owner" role  or "App1 Family Owner" role and if so, allow him to register the application (App1) in KC. I should also be able to link that "App1 owner" role to the newly registered application in KC so that when if another user belonging to "App1 owner" or "App1 Family Owner" role comes in, I should allow him to update App1 and not any other application, subject to conditions 1 and 2. 
How can we achieve the above functionality in KC? Appreciate some pointers and if there is something that can be done in KC then let me know and I will put in an enhancement request.
Thanks in advance,Raghu


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150414/3804b1ed/attachment-0001.html