[keycloak-user] Roles/permissions specific to Client application.

Stian Thorgersen stian at redhat.com
Wed Apr 15 08:16:42 EDT 2015


Supporting something like that would require a revamp of how we manage permissions for Keycloak admin console and endpoints.

If we can come up with a good way to do it properly I don't see any reason not to support this level of permissions. However, I wouldn't want to just duct tape it onto what we already have.

Currently we create "fictitious" applications to manage permissions for realms. I don't really like this approach and it would not work for applications (as you'd have two applications per-application).


----- Original Message -----
> From: "Raghu Prabhala" <prabhalar at yahoo.com>
> To: "Keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Tuesday, April 14, 2015 4:23:58 AM
> Subject: [keycloak-user] Roles/permissions specific to Client application.
> 
> Hi Dev team,
> 
> The current KC model has very coarse grained roles that do not work for us,
> specifically in regards to the application management. Let me explain our
> use case.
> 
> We allow only a set of users to register/update client applications subject
> to the below conditions ( a simplification of our actual use case):
> 
> 1) Every client application has a set of owners and only the owners of the
> application can register/update an application in KC in addition to the
> point 2) below.
> 2) Every application is part of a family that has a set of owners who can
> register/update any application within that family.
> 
> When a user logs into KC, I can query our external repository to see if the
> user is in say "App1 owner" role or "App1 Family Owner" role and if so,
> allow him to register the application (App1) in KC. I should also be able to
> link that "App1 owner" role to the newly registered application in KC so
> that when if another user belonging to "App1 owner" or "App1 Family Owner"
> role comes in, I should allow him to update App1 and not any other
> application, subject to conditions 1 and 2.
> 
> How can we achieve the above functionality in KC? Appreciate some pointers
> and if there is something that can be done in KC then let me know and I will
> put in an enhancement request.
> 
> Thanks in advance,
> Raghu
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list