[keycloak-user] Fine grain permission for a realm admin user that can also create client and create a User in his Realm

Ansari, Hasebullah hasebullah.ansari at syntlogo.de
Tue Jul 17 10:15:34 EDT 2018 

Hello all,

                I have a use case scenario with indulges fine grain permission settings for an admin of a particular realm that should create a client and create a user with restrictions like he must not play with the client ‘realm-management’ and that he must not map realm-admin to himself. The problem is I can achieve to restict the realm admin to manage one client or restrict him to map only said roles but then he cannot create client or create user himself because he requires more coarse role like ‘manage-users’ or ‘manage-clients’. And once I give the realm admin these two roles then he could do everything in the realm and this is the problem.

So in short,

  1.  I want to have a realm-admin that can create users and clients in his dedicated realm
  2.  Also I want to make sure that he doesn’t have access to play around with realm-management client and that he doesn’t have access to map roles to himself or other users with something like ‘manage-user, manage-realm, manage, manage-clients’

Cheers,

__________________________________________________________________________________________________________________________
Besuchen Sie LOGIN MASTER<https://login-master.com/> – Die Lösung für die Benutzerverwaltung für das Web.
__________________________________________________________________________________________________________________________
Hasebullah A Ansari
Master of Engineering in IT, Heidelberg

IT Specialist / Java Entwickler
Syntlogo GmbH
Mercedesstraße 1
D-71063 Sindelfingen

Email:      hasebullah.ansari at syntlogo.de<mailto:hasebullah.ansari at syntlogo.de>
Website: www.syntlogo.de<http://www.syntlogo.de/>

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfänger sein, so bitten wir Sie höflichst, diesen Umstand
unverzüglich dem Absender mitzuteilen und die Nachricht zu löschen. Jede nicht genehmigte Weiterverbreitung oder Vervielfältigung
ist nicht gestattet. Da wir Echtheit und Vollständigkeit des Nachrichteninhalts nicht garantieren können, sind die vorstehenden
Ausführungen rechtlich nicht bindend. Eine Haftung hierfür wird daher ausgeschlossen.

This message is confidential. If you are not the intended recipient, we kindly ask you to inform the sender and delete the information.
Any unauthorised dissemination or copying hereof is prohibited. As we cannot guarantee the genuineness or completeness of the information
contained in this message, the statements set forth above are not legally binding. Accordingly, we cannot accept liability therefore.

Stuttgart HRB 245317, Geschäftsführer Dr. G. Baruzzi, USt-ID: DE 219566705
__________________________________________________________________________________________________________________________

More information about the keycloak-user mailing list