[keycloak-user] Client roles for 'security-admin-console' application are not fine grained enough

[Stian Thorgersen]

We're aware that permissions are not fine grained enough at the moment and
we are planning on providing something better in the future. It will
however be a while until we are able to do so.

On 22 July 2016 at 16:36, Valerij Timofeev <valerij.timofeev at gmail.com>
wrote:

> Hi,
>
> after reading the ticket KEYCLOAK-528 I've encountered two other issues in
> the "security-admin-console" application (tested on RH SSO 7.0.0):
>
> 1) As soon as a realm user gets the 'manage-users' role, he can manage
> "User federation" settings and even delete it. This can result in
> unintentional removal of all users linked with the user federation provider
> and thus affect potentially millions of users.
>
> 2) Users having 'view-users' role can view "User Federation". "Delete"
> button is visible as well although it does not work finally.
>
> IMO "User federation" should be covered by the realm management roles
> instead.
>
> Additionally the provided roles for the 'realm-management' client are not
> fine grained enough IMO. One role per REST method would be ideal and, I
> suppose, simplier to consider in the Keycloak Admin API.
>
> The "security-admin-console" application without fine grained roles
> exposes too much risk in real life scenarios and so makes it unusable. One
> use case in mind: prevent deletion of any kind for Helpdesk employees e.g.
> managing users. Having dedicated roles for DELETE operation would make such
> task possible.
>
> Kind regards
> Valerij Timofeev
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/360d947f/attachment.html