[keycloak-dev] Fine-grained permissions along hierarchy paths

Thomas Darimont thomas.darimont at googlemail.com
Tue Aug 14 14:58:20 EDT 2018


Hello,

I have a realm with nested groups that denotes a hierarchical corporate
structure.

/corp
-/org
--/branch1
---/divsion1
----/team1
----/team2
---/divsion2
----/team3
----/team4
--/branch2
-/infra
...
Users belong to one particular group along the /corp/org subtree, but might
also be members of one or more groups from a different subtree, e.g.,
/corp/infra.

Is it possible to have dedicated admin users at /corp, /branchX, /divisionX
level who can only view and manage the users from their group or subtree
with an admin-console scoped to a fixed realm?

admin-console scoped to group-hierarchy-demo realm:
http://localhost:8080/auth/admin/group-hierarchy-demo/console/#/realms/group-hierarchy-demo/users

If a user logs in as divsion1-admin-user, he should only be able to see and
manage the users beneath the path (/corp/org/branch1/division1/*).

Does the fine-grained permission system already support use cases like this?

Cheers,
Thomas


More information about the keycloak-dev mailing list