[keycloak-user] Missing client roles to view and manage groups?

Bill Burke bburke at redhat.com
Thu Jan 28 10:40:47 EST 2016 

https://issues.jboss.org/browse/KEYCLOAK-2408

On 1/28/2016 10:21 AM, Edgar Vonk - Info.nl wrote:
> It seems there are no client roles to view and manage groups in Keycloak? I expected to see view-groups and manage-groups roles just like view-users and view-groups.
>
> Our case is that we want to have ‘functional admin’ users that are allowed to manage users and groups within their realm (and nothing else).
>
> I have now created such a functional admin user with the following client roles in this particular realm:
> - view-events
> - manage-users
> - view-users
> - impersonation
>
> When I log in as this functional admin user I can manage users fine, however I cannot manage groups. I do see the ‘Manage Groups’ menu item in the admin console but when I click on it I get a “Forbidden. You don't have access to the requested resource.” and in the logs we see:
>
> 4:59:19,950 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002005: Failed executing GET /admin/realms/graydon-customers/groups: org.keycloak.services.ForbiddenException
> 	at org.keycloak.services.resources.admin.RealmAuth.requireView(RealmAuth.java:53)
> 	at org.keycloak.services.resources.admin.GroupsResource.getGroups(GroupsResource.java:72)
> 	at sun.reflect.GeneratedMethodAccessor664.invoke(Unknown Source)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:497)
> 	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
> 	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> 	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
> 	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
> 	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>
>
> Is the absence of roles for viewing and managing groups a shortcoming in Keycloak? If so, shall I create a JIRA ticket for it?

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list