[keycloak-user] Limitations of create_realm role or a bug?

Christian Neudert christian.neudert at doksafe.de
Thu Aug 16 06:06:16 EDT 2018 

Hello,

I have a permission problem with realms created by an user in the master realm, who has the “create_realm” role only. This user can create a realm and new users in it but can’t assign the “impersonation” role to them. From my understanding, it’s because this user doesn’t have the “impersonation” role in the master realm and therefor can’t assign it to another user in another realm. This is expected as of what’s written in https://www.keycloak.org/docs/3.4/server_admin/index.html#realm-specific-roles.

My problem is that I can’t configure the created realm completely with this user without that posibility. It also contradicts what’s written in https://www.keycloak.org/docs/3.4/server_admin/index.html#global-roles: “Users with the create-realm role are allowed to create new realms. They will be granted full access to any new realm they create.“.

Should a user with the ‘create_realm’ role be allowed to set the ‘impersonation’ role for users in realms created by her or is it a bug? If it’s a wanted restriction I don’t know how to solve that problem without giving this user the admin permission in the master realm which is… not so good.

FYI: I’m using Keycloak 3.4  with the Java Keycloak Admin CLI atm.

Best regards,
Christian Neudert

________________________________

[https://www.actaport.de/images/doksafe_mailclosing_actaport.jpg]<https://www.actaport.de?utm_source=email&utm_medium=mail_disclaimer&utm_campaign=mail_disclaimer_actaport18>

Kanzleisoftware für moderne Anwälte
Kostenlos testen unter www.actaport.de<https://www.actaport.de?utm_source=email&utm_medium=mail_disclaimer&utm_campaign=mail_disclaimer_actaport18>

________________________________
[https://www.actaport.de/images/doksafe_logo_200.png]

dokSAFE GmbH
Goethestraße 1
04109 Leipzig
www.doksafe.de<https://www.doksafe.de?utm_source=email&utm_medium=mail_disclaimer&utm_campaign=mail_disclaimer_actaport18>

________________________________
Sitz der Gesellschaft: Goethestraße 1, 04109 Leipzig
Amtsgericht Leipzig HRB 32536, Geschäftsführer Steffen Scholz, Dr. Michael Schäfer
________________________________
Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten.
Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts,
eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt.
Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank.
________________________________
This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information.
If you have received this e-mail in error, you are hereby notified that any review,
copying, or distribution of it is strictly prohibited.
Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.

More information about the keycloak-user mailing list