[keycloak-user] [keycloak-dev] Fine-grained permissions along hierarchy paths

Schuster Sebastian (INST/ESY1) Sebastian.Schuster at bosch-si.com
Wed Aug 15 03:44:18 EDT 2018 

Hi Thomas,

I think this should work. You will just have to enable permissions for the groups /corp, /branchX, /divisionX and create matching policies and assign the scopes view-members and manage-members.
If a user is a member of one of the subgroups, the permissions defined on the parent groups still kick in.

You just need to be aware that listing all users does not work as expected, see https://issues.jboss.org/browse/KEYCLOAK-7950. If you navigate via the groups, you should be fine...

I am just not sure what you mean by "admin console scoped to a fixed realm". All of this only works on the same realm, other realms are completely separate things...

Best regards,
Sebastian


Mit freundlichen Grüßen / Best regards

Dr.-Ing.  Sebastian Schuster

Engineering and Support (INST/ESY1) 
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn 



-----Original Message-----
From: keycloak-dev-bounces at lists.jboss.org <keycloak-dev-bounces at lists.jboss.org> On Behalf Of Thomas Darimont
Sent: Dienstag, 14. August 2018 20:58
To: keycloak-dev <keycloak-dev at lists.jboss.org>; keycloak-user <keycloak-user at lists.jboss.org>
Subject: [keycloak-dev] Fine-grained permissions along hierarchy paths

Hello,

I have a realm with nested groups that denotes a hierarchical corporate structure.

/corp
-/org
--/branch1
---/divsion1
----/team1
----/team2
---/divsion2
----/team3
----/team4
--/branch2
-/infra
...
Users belong to one particular group along the /corp/org subtree, but might also be members of one or more groups from a different subtree, e.g., /corp/infra.

Is it possible to have dedicated admin users at /corp, /branchX, /divisionX level who can only view and manage the users from their group or subtree with an admin-console scoped to a fixed realm?

admin-console scoped to group-hierarchy-demo realm:
http://localhost:8080/auth/admin/group-hierarchy-demo/console/#/realms/group-hierarchy-demo/users

If a user logs in as divsion1-admin-user, he should only be able to see and manage the users beneath the path (/corp/org/branch1/division1/*).

Does the fine-grained permission system already support use cases like this?

Cheers,
Thomas
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-user mailing list