[keycloak-user] Application Management

[Stian Thorgersen]

I had an idea a while back that is a simple way to achieve what you're asking for. The idea would be to only allow an admin to grant roles that the admin has access to.

Basically:
* A user with admin (super user) role can grant any roles (we would need to add a per-realm super user role)
* A user with the role manage-users and some roles on app1 can only grant other users the roles on app1
* A user with the role manage-users and some roles on app2 can only grant other users the roles on app2

This is something we should add in either case (to prevent users granting themselves more access). Would it solve your problems? 

----- Original Message -----
> From: "Alex Gouvêa Vasconcelos" <alexgv99 at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 23 March, 2015 3:55:07 PM
> Subject: [keycloak-user] Application Management
> 
> Hi all...
> 
> We started using keycloack a few weeks ago, trying a SSO solution for our
> company. We used to use a proprietary system for
> authentication/authorization and our users have a console admin which allow
> them to manage users and roles per application.
> We tried doing that in keycloack but the only way we found to do something
> similar to that, was giving realm-management rights to the application
> admin. This was not what we were trying to do, because those rights allow
> the admin of app1 give permission to users of app2.
> 
> We found another user of this forum with a similar question in february
> archives... [1] but the answer did not specify if this is in future plans.
> If not, is there any help we could count on to implement ourselves?
> 
> [1] http://lists.jboss.org/pipermail/keycloak-user/2015-February/001540.html
> 
> ​Best regards.
> Alex Gouvêa Vasconcelos
> mailto: alexgv99 at gmail.com
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user