Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

KeyCloak restricting user management to certain groups while enabling 'manage-users'

Tags:

keycloak

keycloak-services

Using the KeyCloak admin console, I am attempting to enact the following use-case.

We have Group X and Group Y.

The role 'Group X Admin' can do the following:

  1. Can create users without a group.
  2. Can assign users without a group to group X.
  3. Can edit and manage users in group X.
  4. Cannot see/edit/manage users in group Y.

It seems that in order to fulfill case 1, I must make 'Group X Admin' a composite role linked to the 'manage-users' role from the realm-management client. However, upon doing this, the 'Group X Admin' now has permission to view/manage/edit group Y users.

It seems I cannot restrict access to group Y as fine-grained permissions seem to completely overridden by the manage-users role.

Is there a way to grant permissions to Add Users while restricting access to certain groups?

like image 378
James Ta Avatar asked Jul 31 '18 15:07

James Ta

People also ask

What is a group in Keycloak?

Groups in Keycloak allow you to manage a common set of attributes and role mappings for a set of users. Users can be members of zero or more groups. Users inherit the attributes and role mappings assigned to each group. To manage groups go to the Groups left menu item. Groups are hierarchical.

What does Keycloak do when a storage provider fails?

Keycloak brings you to that provider’s configuration page. If a User Storage Provider fails, you may not be able to log in and view users in the Admin Console. Keycloak does not detect failures when using a Storage Provider to look up a user, so it cancels the invocation.

How do I Manage my Keycloak account?

Keycloak users can manage their accounts through the Account Console. Users can manage their profiles, add two-factor authentication, include identity provider acounts, and manage device activity. The Account Console is completely themeable and internationalizable as is the case with all Keycloak user interfaces.

How do I restrict access to the Admin Console in Keycloak?

When the Admin Console becomes inaccessible on the frontend URL of Keycloak, configure a fixed admin URL in the default hostname provider. You can restrict access to /auth/admin to only specific IP addresses. For example, restrict access to /auth/admin to IP addresses in the range 10.0.0.1 to 10.0.0.255.

1 Answers

You should have a look at Fine Grain Admin Permissions. It's still in preview (so no support from RedHat) but it's the kind of functionality you are looking for.

I certainly have tested a setup that would fulfill items 3 and 4. The description in chapter 11.3.2 Restrict User Role Mapping should get you sufficiently close to item 2. Item 1 probably needs somewhat more investigation. I can't tell you if it's doable.

Even though Fine Grain Admin Permission is quite powerful, we came to the conclusion that it's not sufficient for our requirements. So we discarded it and went with a different solution (a privileged service in front of Keycloak for delegated user administration).

Update

Some instructions how to set it up:

  • Enable preview profile (in Keycloak startup script)
  • Enable permissions on client Realm-management (Clients / Realm-Management / Permissions / Permissions Enabled)
  • Create a group x-users
  • Create a group x-admins
  • Enable permissions on group x-users (Groups / X / Permissions / Permissions Enabled)
  • Click view-members (on the same page) and add a group policy:
    • Scopes: view-members
    • Apply Policy: Create Policy... / Group
    • Enter name, e.g. x-admin-policy
    • Enter description
    • Groups: select group x-admins
    • Save
    • Repeat for manage-members
like image 61
Codo Avatar answered Oct 10 '22 20:10

Codo
Sign in to Comment

Related questions

Getting user keycloak Not Found exception
Running Wildfly Swarm with KeyCloak on docker image
Openidc with Keycloak error uthenticate(): request to the redirect_uri_path but there's no session state found, client
Keycloak: 2FA protection for a specific resource
Keycloak clients setting, SAML private key exposed
Proper way to enrich Keycloak token via external service
Spring Boot Keycloak - authenticates three times per request
Using both Realm roles and ressource roles with Keycloak/SpringSecurity
Keycloak with Spring Boot KeycloakSecurityContext always null
OAuth with KeyCloak in Ktor : Is it supposed to work like this?
Keycloak Angular 2 - Check authenticated status Keycloak object
Assign Roles programmatically to Groups with Keycloak API
Multitenancy using Keycloak and SpringBoot
How to setup public key for verifying JWT tokens from Keycloak?
Understanding Keycloak Adapter (Spring-Security & Spring Boot) session requirement
Keycloak: Failed to load URLs in Spring Boot Application
How to get Keycloak username in AuditorAware
ABAC with keycloak - Using Resource attributes in policy
Unable to set user credential using Keycloak admin api
Scripting theme configuration for a realm

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!