Hi @ondamike,

Your demo is very sleek and I can certainly see this belonging as part of Keycloak directly rather than an extension. It is a fairly big topic though, so we would need to carefully define an MVP and make sure the implementation is flexible enough to support customization as well as be possible to extend without too much effort.

I haven't dug into your codebase or looked in detail what capabilities you have already implemented, but would love to discuss this future, especially if you have capacity and interest in contributing to Keycloak. Happy to arrange a call at some point to discuss future if you are interested?

Some quick thoughts that came up to me when viewing your demo:

• How does this align with fine-grained admin permissions (FGA) v2? That could enable more control over who and what needs approval, and by whom; and also open the door for delegated admins to approve things (for example a specific group of developers could approve changes to some clients, and not require a super admin for approval)
• Not sure about the model wrapper approach (bear in mind I haven't looked at the code). We had a prototype a long time ago around something similar that leveraged events to plugin similar capabilites
• Not sure about how useful this is with only a percentage quorum and lack of events or ticketing system integrations. In a small scale setup with a handful admins that may work okay, but at any sort of scale getting approvals will just be very inefficient. Some SPIs/providers may help here in combination with some events, and some different policies on approval say for instance requires X number of approvals rather than a %
• The UI could be better in terms of viewing what is being changed, perhaps a diff or something could help here
• What changes should support approvals (everything supported by admin ui/api perhaps?)? How to configure what requires approvals for a given realm?
• What about supporting an SPI/provider for approvals? That could allow integrating external workflows to review/accept approvals, allowing writing some custom code that can review/approve certain changes automatically, etc.
• Auditing - how to view who approved what change; basic approach here may just be relying on events for now; adding details on who made a change as well as who approved the change

One additional thought is that we may want to be careful as terming this IGA (lightweight or not) due to this really only being a small subset of capabilities provided by an IGA solution. We may want to name the feature something like approvals perhaps, rather than the much broader term IGA.

Related issue #41993. This adds another interesting angle, maybe you want to just be notified rather than review updates.

Hi @ondamike.

IGA is a key area within IAM, and something Keycloak is lacking in order to define/enforce policies on resources and streamline their operations.

What you are doing is great, and the capabilities you are proposing provide a very nice baseline to cover some of the IGA key aspects, such as access request and provisioning, and separation of duties. Please, count me in for further discussions/meetings on the matter.

IGA is an area that we are starting to explore, and I'm really glad that others are interested in collaborating on how we can improve the project capabilities in terms of governance and administration.

As you know, today we have a set of capabilities that are somewhat related to key aspects of IGA. To name a few:

• User Profile
• Fine-Grained Admin Permission and Admin RBAC
• Events
• Client Policies
• Authentication Policies
• Credential Policies
• Identity Brokering
• User Federation

However, even though these provide some building blocks for IGA, we don't have an upper layer from where we can set policies to govern security assets, to enforce such policies, as well as to streamline and automate operational tasks.

In addition to that, we also have ongoing initiatives like the Resource Lifecycle Management [1] [2] feature that seeks to address some key aspects around IGA, mainly around identity/resource lifecycle management. This feature should help a lot with what @slaskawi linked here #41993.

Another key feature that we have planned is to finally support SCIM, which should help to enable more integrations and mainly help with identity lifecycle management.

From an administrator PoV, I imagine in Keycloak a specific section in the Admin UI an specific that maps to "Governance and Administration". In this section, I can also imagine some key capabilities available such as the one you are proposing and those I have mentioned.

I'm preparing a document to help us drive discussions around IGA and how any existing and new capabilities play out in this arena. Once I've something more concrete, I would like to share it with you (probably in a call) to see how we can work together on this. I think the idea is to convert it to a set of GH issues in the future and resume the original epic [3] you have started with a more concrete plan.

[1] #39888
[2] #10370
[3] #41351