[keycloak-user] Application Management

Thiago Presa thiago.addevico at gmail.com
Tue Mar 24 08:41:16 EDT 2015


Hi there,

I'm Alex's coworker and I'll be working on this too.

We were just discussing your idea, and it seems to fit our requirements.

As far as we have seen, keycloak already has a realm-admin concept.
Whenever a realm "R" is created, it creates a R-realm application with
a bunch of default roles (manage-users, manage-roles, etc.) into the
realm master.

We are currently thinking if we could mimic this structure for
applications. What do you think?

> I had an idea a while back that is a simple way to achieve what you're asking for. Th> e idea would be to only allow an admin to grant roles that the admin has access to.

> Basically:> * A user with admin (super user) role can grant any roles (we would need to add a per-> realm super user role)

> * A user with the role manage-users and some roles on app1 can only grant other users > the roles on app1

> * A user with the role manage-users and some roles on app2 can only grant other users > the roles on app2

>

> This is something we should add in either case (to prevent users granting
themselves more access). Would it solve your problems?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150324/b65f65e4/attachment-0001.html 


More information about the keycloak-user mailing list