[keycloak-dev] How to assign new client default roles to existing users?

Stian Thorgersen stian at redhat.com
Mon Jun 8 08:31:19 EDT 2015 


----- Original Message -----
> From: "Vlastimil Elias" <velias at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Monday, 8 June, 2015 2:23:49 PM
> Subject: Re: [keycloak-dev] How to assign new client default roles to existing users?
> 
> Nice workaround, thanks for the tip.
> I though about it also, but I'm not able to assign this new composite
> default role to all existing users still ;-)

It's not a workaround, it's what we had in mind when we added default roles and composite roles ;)

> 
> So some of solutions for default roles as I proposed should be good.

Neither of your two first proposals are required as using a composite default role gives the same result. What is required though is support for batch updates in admin console. We don't have resources to do that atm though. I'd suggest you create a default composite role. Then afterwards either use the rest api to add this to all existing users or directly update the db (it should be a relatively simple update).

> 
> Thanks
> 
> Vlastimil
> 
> On 8.6.2015 14:03, Stian Thorgersen wrote:
> >
> > ----- Original Message -----
> >> From: "Vlastimil Elias" <velias at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Monday, 8 June, 2015 1:54:11 PM
> >> Subject: [keycloak-dev] How to assign new client default roles to existing
> >> 	users?
> >>
> >> Hi,
> >>
> >> we just found one admin use case which is not covered by existing Keycloak
> >> and its Admin GUI.
> >>
> >> When you create new Client later and define some default role/s for it,
> >> then
> >> there is not any way how to assign these roles to existing users.
> >> Problem is that default roles are assigned to users in DB when they are
> >> created. Then admin GUI allows to assign roles for one user only, not too
> >> useful when you have hundreds or thousands of users ;-)
> >> Only workaround for now is to write script which uses REST API to assign
> >> new
> >> default roles to all existing users.
> >>
> >> I see these possible solutions:
> >>
> >>
> >>      * do not assign default roles in DB when user is created, but assign
> >>      them
> >>      dynamically when user roles are asked - possible cons of this
> >>      solution
> >>      is that it does not allow to remove default role from
> >>      concrete/selected
> >>      users
> >>      * keep default roles assignment into DB on user create, but
> >>      automatically
> >>      assign new default role to all existing users once it is defined for
> >>      client
> >>      * keep default roles assignment into DB on user create, but add some
> >>      manual bulk role assignment action into Admin GUI, which allows admin
> >>      to
> >>      assign role to existing users.
> >>
> >> WDYT, which solution should be better?
> > Or, create a composite role called 'default' and have this as the only
> > default role. Afterwards you can map new roles to this composite role and
> > it'll be reflected for all users that have the 'default' role assigned to
> > them.
> >
> >> Cheers
> >>
> >> Vlastimil
> >>
> >> --
> >> Vlastimil Elias
> >> Principal Software Engineer
> >> jboss.org Development Team
> >>
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 
> --
> Vlastimil Elias
> Principal Software Engineer
> jboss.org Development Team
> 
>

More information about the keycloak-dev mailing list