[keycloak-user] create admin user to control other users, but at the same time making him/her unable to change his/her own permissions

Simon Payne simonpayne58 at gmail.com
Wed Nov 8 05:14:29 EST 2017


Hi, it is possible - try the following or some variation to suit your use
case.  my example allowed a user in a suitable admin role to allocate
client roles to a user, but the user was otherwise read only.

1 - Create a role to act as admin
2 - Create a policy for your role
3 - Give permission to map client roles.  this is done by selecting your
client then switching on permissions.  then against map-roles apply your
role policy.
4 - Give permission to view users.  this is done by selecting the admin
role, then role mappings.  select client roles -> realm-management -> view
users.
5 - Give permission to map roles to users.  enable permissions on the users
sections.  then apply your admin role policy.


Hope this works for you

Simon.




On Tue, Nov 7, 2017 at 10:10 AM, pavlos kaimakis <pkaim at hotmail.com> wrote:

> Hi there,
>
>
> Is there any way we can configure a user that will have the rights to
> view/edit/delete/assign other users' roles, but will NOT be able to change
> the setting for him/herself.
>
> Reason asking is I want a user as admin to deal with the rest of the
> users, but at the same time i don't want that user to be able to grant
> permissions to him/herself to access some other clients. The default
> 'admin' role gives him/her this option.
>
> Waiting for your response
>
>
> BRs
>
>
> Lefteris
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list