[keycloak-dev] Assign group roles to specific users

Shanon Levenherz shanonvl at yahoo.com
Wed May 31 14:14:58 EDT 2017

Hi there,

I’m looking to leverage Keycloak as the primary IdP for our SaaS platform.   We have many tenants, each with sub-tenants and would like to provide them with the ability to administer themselves (including any applicable sub-tenants).     Based on my current research, which includes the multi-tenant example in the GitHub repo, it appears that multiple tenants are supported via separate realms.    My current thinking is that I’d like to use a single realm as I’d like for a platform administrator (like myself) to be able to manage all users in a single place, use a group hierarchy to support multiple tenants, and apply roles to specific users in a group to eg. administer the users or create a sub group for a new tenant.

Something like this:

|- User 1 (user-admin role)
|- Tenant 1 Group
|  |
|  |- User 1.1 (user-admin role)
|  |- User 1.2
|  |- …
|  |- User 1.n
|- Tenant 2 Group
|  |
|  |- User 2.1 (user-admin role)
|  |- User 2.1
|  |- …
|  |- User 2.n
|  |
|  |- Tenant 3 Group
|  |
|  |- User 3.1 (user-admin role)
|  |- User 3.2
|  |- …
|  |- User 3.n

From the above we’re looking for:

* User 1 is the realm/platform administrator and has full control over all groups/users
* User 1.1 is the administrator for Tenant 1
* User 2.1 is the administrator for Tenants 2 and 3
* User 3.1 is the administrator for Tenant 3

I came across this thread <http://lists.jboss.org/pipermail/keycloak-user/2015-October/003359.html> and specifically this comment from Bill Burke:
>I like that idea.  A better alternative might be that each group has an 
>"user-admin" role.  If a user has the "user-admin" role of the group, it 
>can administer users in that group and assign roles defined in that 
>group.  One thing to really think about is, what about sub-groups.  Can 
>an admin of the parent group administer sub groups?
This post is from October 2015, so I’m curious if the ability to grant specific roles to specific users in a specific group has been implemented at all?   I can’t find anything about it in the docs.  I also just noticed this JIRA issue <https://issues.jboss.org/browse/KEYCLOAK-3168> but am not sure if it’s the same thing.

Please let me know if I can provide more information; I can provide a more complete description of my goals / requirements if that would help.   Thank you! 


More information about the keycloak-dev mailing list