Description

The Workflows feature aims to empower Keycloak administrators to automate the management of realm resources. While administrators can manage the lifecycle of resources through the existing APIs, we lack a feature that automates the management of resources by executing actions on specific conditions, such as disabling users after a configured inactivity period. Instead, the administrator has to actively manage the realm resources - a task that can be tedious, time consuming, and error-prone.

Adding a feature that can automate certain user-related tasks, such as disabling, notifying or even removing users after a period of inactivity, is a huge step towards building an identity governance model for Keycloak. It also helps to reduce both the attack surface of the realm data and the cost that comes with keeping unused resources in the database.

The core of the new feature centers on automating the management of user resources through time-based policies. However, the design should accommodate the future expansion to include the management of other resources such as clients, brokers and organizations.

This is a follow-up of the transient users feature, giving administrators an option to not store user-related information permanently, but only for an adequate and configurable period of time.

Discussion

#10370

Motivation

Main motivation for this feature is to starting building an identity governance model for Keycloak, allowing admins to define policies for notifying, disabling, or even removing users after a configurable amount of time. Expanding on this idea, other resources could also be managed using these policies.

For example, a client or identity broker that hasn't been used for authentication for a long time could be automatically disabled or removed, reducing the cost of storing and managing all these stale resources indefinitely and simplifying the server administration.