[keycloak-dev] How to assign new client default roles to existing users?

Stian Thorgersen stian at redhat.com
Mon Jun 8 09:08:34 EDT 2015 

I thought we had an issue for batch updates, but couldn't find one so added https://issues.jboss.org/browse/KEYCLOAK-1413.

----- Original Message -----
> From: "Vlastimil Elias" <velias at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Monday, 8 June, 2015 2:49:49 PM
> Subject: Re: [keycloak-dev] How to assign new client default roles to existing users?
> 
> Thanks for the clarification of composite roles, I'll use it.
> I agree that batch role updates in Admin GUI should be good solution,
> and I understand resource constraint.
> 
> Cheers
> 
> Vlastimil
> 
> On 8.6.2015 14:31, Stian Thorgersen wrote:
> >
> > ----- Original Message -----
> >> From: "Vlastimil Elias" <velias at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Monday, 8 June, 2015 2:23:49 PM
> >> Subject: Re: [keycloak-dev] How to assign new client default roles to
> >> existing users?
> >>
> >> Nice workaround, thanks for the tip.
> >> I though about it also, but I'm not able to assign this new composite
> >> default role to all existing users still ;-)
> > It's not a workaround, it's what we had in mind when we added default roles
> > and composite roles ;)
> >
> >> So some of solutions for default roles as I proposed should be good.
> > Neither of your two first proposals are required as using a composite
> > default role gives the same result. What is required though is support for
> > batch updates in admin console. We don't have resources to do that atm
> > though. I'd suggest you create a default composite role. Then afterwards
> > either use the rest api to add this to all existing users or directly
> > update the db (it should be a relatively simple update).
> >
> >> Thanks
> >>
> >> Vlastimil
> >>
> >> On 8.6.2015 14:03, Stian Thorgersen wrote:
> >>> ----- Original Message -----
> >>>> From: "Vlastimil Elias" <velias at redhat.com>
> >>>> To: keycloak-dev at lists.jboss.org
> >>>> Sent: Monday, 8 June, 2015 1:54:11 PM
> >>>> Subject: [keycloak-dev] How to assign new client default roles to
> >>>> existing
> >>>> 	users?
> >>>>
> >>>> Hi,
> >>>>
> >>>> we just found one admin use case which is not covered by existing
> >>>> Keycloak
> >>>> and its Admin GUI.
> >>>>
> >>>> When you create new Client later and define some default role/s for it,
> >>>> then
> >>>> there is not any way how to assign these roles to existing users.
> >>>> Problem is that default roles are assigned to users in DB when they are
> >>>> created. Then admin GUI allows to assign roles for one user only, not
> >>>> too
> >>>> useful when you have hundreds or thousands of users ;-)
> >>>> Only workaround for now is to write script which uses REST API to assign
> >>>> new
> >>>> default roles to all existing users.
> >>>>
> >>>> I see these possible solutions:
> >>>>
> >>>>
> >>>>       * do not assign default roles in DB when user is created, but
> >>>>       assign
> >>>>       them
> >>>>       dynamically when user roles are asked - possible cons of this
> >>>>       solution
> >>>>       is that it does not allow to remove default role from
> >>>>       concrete/selected
> >>>>       users
> >>>>       * keep default roles assignment into DB on user create, but
> >>>>       automatically
> >>>>       assign new default role to all existing users once it is defined
> >>>>       for
> >>>>       client
> >>>>       * keep default roles assignment into DB on user create, but add
> >>>>       some
> >>>>       manual bulk role assignment action into Admin GUI, which allows
> >>>>       admin
> >>>>       to
> >>>>       assign role to existing users.
> >>>>
> >>>> WDYT, which solution should be better?
> >>> Or, create a composite role called 'default' and have this as the only
> >>> default role. Afterwards you can map new roles to this composite role and
> >>> it'll be reflected for all users that have the 'default' role assigned to
> >>> them.
> >>>
> >>>> Cheers
> >>>>
> >>>> Vlastimil
> >>>>
> >>>> --
> >>>> Vlastimil Elias
> >>>> Principal Software Engineer
> >>>> jboss.org Development Team
> >>>>
> >>>> _______________________________________________
> >>>> keycloak-dev mailing list
> >>>> keycloak-dev at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >> --
> >> Vlastimil Elias
> >> Principal Software Engineer
> >> jboss.org Development Team
> >>
> >>
> 
> --
> Vlastimil Elias
> Principal Software Engineer
> jboss.org Development Team
> 
>

More information about the keycloak-dev mailing list