I have a admin role on my realm and a user-admin role for my test client.
The user-admin is only allowed to view users, edit them and map roles from the test client. I also want the user-admin to create new users.
Sadly the "Add User" Button is not displayed when i log in using a user-admin.
The only way to allow the user-admin to create users is to add the manage-users role from the ream-management client as a composite.
The problem with the manage-users role is that it also allows to view and edit groups and to map every role there is including my admin realm role.
I tried using the map-role permission from the admin role itself. That did not work and it seems that the manage-users role simply overweights the permissions of the role.
I'd expect something like a create permission for the Users ressouce but can't find anything like that.
Thanks,
Maik
Related
I'm trying to set up an HR type role, so one of our users can do all the backend user and division management.
Most of it is working apart form two things
When creating the user the Access Settings tab is missing the normal admin user shows it but my HR role does not
Is there a specific security item we need to add to allow this
Also when I try to create a new business unit under the unit that user belongs to I get a you do not have permission to perform this action message. For that HR user I have set all the business permissions to business unit
Again do I need to set a specific permission to allow this?
Thanks
Steve
The tab is hidden because the new role doesn't have an Organization view permission.
Let's say I'm using one realm mycomp in Keycloak to handle all users (+ master realm for Keycloak superadmin).
I'm have role of Customer Support (CS) that should be able to view users and manage their basic data like names, email, password reset etc.
I'm able to grant realm-management permissions like manage-users or view-users to any user in 3 ways:
assign directly
by creating composite role for CS
by creating group with and adding there CS
The problem is that giving manage-users rights CS end up being able to manage roles and groups so it is able to grant other users management permissions. Thats not valid for my config - it is a role of some higher level admin.
How to grant some users permissions to view and manage basic user data without allowing them to manage roles?
So in the end of the day I finally managed to find an working solution.
Problem was that Role manage-users cant be overriten by Policy.
With help of Pedro Igor Silva from Keycloak (https://issues.redhat.com/browse/KEYCLOAK-18151) I managed to setup configuration that fullfills the usecase.
With Keycloak preview feature admin_fine_grained_authz enabled I created global composite Role user-managers and granted it query-users Role from realm-management client. Then I created Policy that grants manage permission on Users resource when user has user-manager role.
That works perfectly
I am new to Keycloak and I try to use it as authentication server in my solution.
I have the following entity's model: the devices are owned by a particular company to which some users belong. User with role admin can grant permission for viewing some set of devices to a regular user but only those devices that belong to the admin's company. Thus all users except admins can view only a subset of all devices in company.
Based on these requirements, I decided to make companies as groups and devices as Keycloak's resources. To evaluate permissions, I chose rule based policy.
The question is -- Can I set group as an owner of resource to check this relation in policy?
If someone is more experienced in keycloak and knows how to better represent such model, please help.
Thank you in advance.
As working on keycloak, I didn't find any way to set the multiple owners for particular resources.
I'm having the alternate option to give the access permission, that owners have for their resources.
Let say Resource A owner is OWNER A, now there are two more user USER A and USER B. If suppose OWNER A already share the access permission to USER A and USER A wants to share Resource A to USER B on behalf of the Resource owner, then how should USER A can share the resource scopes to USER B?
Answer
Keycloak provides the facility of token exchanging or impersonation feature. With the help of this USER A can able to share the resources to USER B on behalf of the OWNER A (Owner of Resource A).
Reference: You just need to follow this Keycloak Impersonation
Add comments if you still face the problem
In Keycloak, you may represent a particular company (or any organization or organizational unit) as a realm:
https://www.keycloak.org/docs/latest/server_admin/index.html#core-concepts-and-terms
Create a new realm:
https://www.keycloak.org/docs/latest/server_admin/index.html#_create-realm
Then represent the company's users as users in the company's Keycloak realm
https://www.keycloak.org/docs/latest/server_admin/index.html#user-management
... and devices as Keycloak Clients (any kind of resource you want enforce permissions on is a Client in Keycloak model):
https://www.keycloak.org/docs/latest/server_admin/index.html#core-concepts-and-terms
An admin role is already defined by default for each role (Roles menu).
Instructions tested on Keycloak 4.0.0.
For each device, create the corresponding Client in Keycloak (Clients menu). Switch on Permissions Enabled on the Permissions tab of the new client. A list of admin console permissions will appear just below the switch button, such as the view permission.
Then, in order to assign the permission to view the device to some user, the admin should click on the view permission (link) just mentioned, create a User Policy (Create Policy... listbox) and select the users (assignees) in the Users field.
In order to assign the permission on multiple devices to the same group of people, use a Group or Role Policy instead (put the users in the same group before).
In order to assign the permission to groups of devices, use one Group/Role per group of device, then assign users to the Group/Role.
I have defined security properties of a login
I have 200 users .
How can I apply dynamically the same security properties of a login for all users login ?
Create a Role (through the GUI or T-SQL) with the required permissions, then add all 200 users as members of that role. Not sure if you can force the role to 'copy' permissions from a particular user, but from an auditing and maintenance perspective, it's far simpler to make required changes to a Role once and have them instantly inherited by all members.
Adding permissions to a role enables the given permission to all users in that role by default; this is something I want to avoid.
I want to be able to set permissions like "Booking: View own Bookings" at user level and not the role level.
Is there a module that already does this, or can someone give me some possible approaches or pseudo code of some kind?
Yes, there's the User Permissions module.
User Permissions provides an interface for giving additional permissions to individual users without the need to assign them to a special role. When this module is enabled, users with the 'administer permissions' permission can access the 'User Permissions' tab on each user's account.