[keycloak-user] Missing client roles to view and manage groups?

Edgar Vonk - Info.nl Edgar at info.nl
Thu Jan 28 10:21:19 EST 2016 

Hi,

(oops, sent this to keycloak-dev mailing this by mistake earlier..)

It seems there are no client roles to view and manage groups in Keycloak? I expected to see view-groups and manage-groups roles just like view-users and view-groups.

Our case is that we want to have ‘functional admin’ users that are allowed to manage users and groups within their realm (and nothing else).

I have now created such a functional admin user with the following client roles in this particular realm:
- view-events
- manage-users
- view-users
- impersonation

When I log in as this functional admin user I can manage users fine, however I cannot manage groups. I do see the ‘Manage Groups’ menu item in the admin console but when I click on it I get a “Forbidden. You don't have access to the requested resource.” and in the logs we see:

4:59:19,950 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002005: Failed executing GET /admin/realms/graydon-customers/groups: org.keycloak.services.ForbiddenException
	at org.keycloak.services.resources.admin.RealmAuth.requireView(RealmAuth.java:53)
	at org.keycloak.services.resources.admin.GroupsResource.getGroups(GroupsResource.java:72)
	at sun.reflect.GeneratedMethodAccessor664.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)


Is the absence of roles for viewing and managing groups a shortcoming in Keycloak? If so, shall I create a JIRA ticket for it?

cheers

Edgar

More information about the keycloak-user mailing list