[keycloak-user] Set up fine grained permissions

Hammarberg, Daniel daniel.hammarberg at capgemini.com
Tue Apr 3 03:57:41 EDT 2018 

Hi all,

I am trying to set up fine grained permissions, following the instructions at http://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions

I don’t manage to set permissions for a user to view one client. Could anyone help me to find what’s missing?

My settings:

In the Users menu:

User cm_g123456 is a member of the group “Content Managers”.
The group Content Managers is mapped to the realm role “Content Manager” and the client roles realm-management -> query-clients and view-users
If I open the user cm_g123456 and check the Effective Roles under Role Mappings, I can see that Content Manager is active.
The user cm_g123456 also has the client role realm-management -> query-clients

In the Clients menu:

I open my client, “foo.com”.

Permissions are enabled. I have the following permission:

Name: manage.permission.client.manageSkfCom
Scopes: manage
Apply Policy: content-managers
Decision Strategy: Unanimous

I have the following policy:

Name: content-managers
Realm Roles:
   Name: Content Manager
   Required: checked
Logic: Positive

When I log in to the admin console as the user cm_g123456, I cannot see any clients. Also, when opening a user I cannot see any client roles in the Available Roles list under Role Mappings.

Best regards
/Daniel

_______________________________________________________________________
[Email_CBE.gif]Daniel Hammarberg
Managing Delivery Architect | Application Services

Capgemini Sweden | Göteborg


________________________________

Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsvägen 131 Box 825 – S-161 24 Bromma.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2316 bytes
Desc: image001.gif
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180403/80c07f5d/attachment.gif

More information about the keycloak-user mailing list