Menu
Using the KeyCloak admin console, I am attempting to enact the following use-case.
We have Group X and Group Y.
The role 'Group X Admin' can do the following:
It seems that in order to fulfill case 1, I must make 'Group X Admin' a composite role linked to the 'manage-users' role from the realm-management client. However, upon doing this, the 'Group X Admin' now has permission to view/manage/edit group Y users.
It seems I cannot restrict access to group Y as fine-grained permissions seem to completely overridden by the manage-users role.
Is there a way to grant permissions to Add Users while restricting access to certain groups?
378
Groups in Keycloak allow you to manage a common set of attributes and role mappings for a set of users. Users can be members of zero or more groups. Users inherit the attributes and role mappings assigned to each group. To manage groups go to the Groups left menu item. Groups are hierarchical.
Keycloak brings you to that provider’s configuration page. If a User Storage Provider fails, you may not be able to log in and view users in the Admin Console. Keycloak does not detect failures when using a Storage Provider to look up a user, so it cancels the invocation.
Keycloak users can manage their accounts through the Account Console. Users can manage their profiles, add two-factor authentication, include identity provider acounts, and manage device activity. The Account Console is completely themeable and internationalizable as is the case with all Keycloak user interfaces.
When the Admin Console becomes inaccessible on the frontend URL of Keycloak, configure a fixed admin URL in the default hostname provider. You can restrict access to /auth/admin to only specific IP addresses. For example, restrict access to /auth/admin to IP addresses in the range 10.0.0.1 to 10.0.0.255.
You should have a look at Fine Grain Admin Permissions. It's still in preview (so no support from RedHat) but it's the kind of functionality you are looking for.
I certainly have tested a setup that would fulfill items 3 and 4. The description in chapter 11.3.2 Restrict User Role Mapping should get you sufficiently close to item 2. Item 1 probably needs somewhat more investigation. I can't tell you if it's doable.
Even though Fine Grain Admin Permission is quite powerful, we came to the conclusion that it's not sufficient for our requirements. So we discarded it and went with a different solution (a privileged service in front of Keycloak for delegated user administration).
Update
Some instructions how to set it up:
61
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
