[keycloak-user] Application Management

Thiago Presa thiago.addevico at gmail.com
Tue Mar 24 13:33:36 EDT 2015 

OK, agreed. We thought this out of consistency, but if that's not a good
design we surely can consider a better one.

On Tue, Mar 24, 2015 at 9:44 AM, Stian Thorgersen <stian at redhat.com> wrote:

>
>
> ----- Original Message -----
> > From: "Thiago Presa" <thiago.addevico at gmail.com>
> > To: stian at redhat.com
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 24 March, 2015 1:41:16 PM
> > Subject: Re: [keycloak-user] Application Management
> >
> > Hi there,
> >
> > I'm Alex's coworker and I'll be working on this too.
> >
> > We were just discussing your idea, and it seems to fit our requirements.
> >
> > As far as we have seen, keycloak already has a realm-admin concept.
> > Whenever a realm "R" is created, it creates a R-realm application with
> > a bunch of default roles (manage-users, manage-roles, etc.) into the
> > realm master.
> >
> > We are currently thinking if we could mimic this structure for
> > applications. What do you think?
>
> It's already messy with the way I modelled it and adding the same for
> applications would be even worse. I don't see why that's needed though if
> we'd add what I proposed.
>
> >
> > > I had an idea a while back that is a simple way to achieve what you're
> > > asking for. Th> e idea would be to only allow an admin to grant roles
> that
> > > the admin has access to.
> >
> > > Basically:> * A user with admin (super user) role can grant any roles
> (we
> > > would need to add a per-> realm super user role)
> >
> > > * A user with the role manage-users and some roles on app1 can only
> grant
> > > other users > the roles on app1
> >
> > > * A user with the role manage-users and some roles on app2 can only
> grant
> > > other users > the roles on app2
> >
> > >
> >
> > > This is something we should add in either case (to prevent users
> granting
> > themselves more access). Would it solve your problems?
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150324/93a0b7a7/attachment.html

More information about the keycloak-user mailing list