[keycloak-user] Limitations of create_realm role or a bug?

Marek Posolda mposolda at redhat.com
Tue Aug 21 06:43:47 EDT 2018 

Did you try to look at fine-grain admin permissions and check if they 
can help you? I am not 100% sure, but I think that with fine-grain admin 
permissions enabled, there will be new "resource" created when the user 
creates the realm and this resource will have the user as an owner.
hopefully this can help to achieve what you want (EG. specify that 
owner/creator of the realm can do anything in that realm).

Marek

On 21/08/18 09:37, Christian Neudert wrote:
> Hi,
>
> Has someone an opinion on this?  Should I create a bug for it?
>
> Best regards,
> Christian Neudert
>
> On 16.08.18, 12:07, "keycloak-user-bounces at lists.jboss.org on behalf of Christian Neudert" <keycloak-user-bounces at lists.jboss.org on behalf of christian.neudert at doksafe.de> wrote:
>
>      Hello,
>
>      I have a permission problem with realms created by an user in the master realm, who has the “create_realm” role only. This user can create a realm and new users in it but can’t assign the “impersonation” role to them. From my understanding, it’s because this user doesn’t have the “impersonation” role in the master realm and therefor can’t assign it to another user in another realm. This is expected as of what’s written in https://www.keycloak.org/docs/3.4/server_admin/index.html#realm-specific-roles.
>
>      My problem is that I can’t configure the created realm completely with this user without that posibility. It also contradicts what’s written in https://www.keycloak.org/docs/3.4/server_admin/index.html#global-roles: “Users with the create-realm role are allowed to create new realms. They will be granted full access to any new realm they create.“.
>
>      Should a user with the ‘create_realm’ role be allowed to set the ‘impersonation’ role for users in realms created by her or is it a bug? If it’s a wanted restriction I don’t know how to solve that problem without giving this user the admin permission in the master realm which is… not so good.
>
>      FYI: I’m using Keycloak 3.4  with the Java Keycloak Admin CLI atm.
>
>      Best regards,
>      Christian Neudert
>
>      ________________________________
>
>      [https://www.actaport.de/images/doksafe_mailclosing_actaport.jpg]<https://www.actaport.de?utm_source=email&utm_medium=mail_disclaimer&utm_campaign=mail_disclaimer_actaport18>
>
>      Kanzleisoftware für moderne Anwälte
>      Kostenlos testen unter www.actaport.de<https://www.actaport.de?utm_source=email&utm_medium=mail_disclaimer&utm_campaign=mail_disclaimer_actaport18>
>
>      ________________________________
>      [https://www.actaport.de/images/doksafe_logo_200.png]
>
>      dokSAFE GmbH
>      Goethestraße 1
>      04109 Leipzig
>      www.doksafe.de<https://www.doksafe.de?utm_source=email&utm_medium=mail_disclaimer&utm_campaign=mail_disclaimer_actaport18>
>
>      ________________________________
>      Sitz der Gesellschaft: Goethestraße 1, 04109 Leipzig
>      Amtsgericht Leipzig HRB 32536, Geschäftsführer Steffen Scholz, Dr. Michael Schäfer
>      ________________________________
>      Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten.
>      Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts,
>      eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt.
>      Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank.
>      ________________________________
>      This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information.
>      If you have received this e-mail in error, you are hereby notified that any review,
>      copying, or distribution of it is strictly prohibited.
>      Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.
>      _______________________________________________
>      keycloak-user mailing list
>      keycloak-user at lists.jboss.org
>      https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> ________________________________
>   doksafe GmbH: Goethestraße 1, 04109 Leipzig
> Amtsgericht Leipzig HRB 32536, Geschäftsführer Steffen Scholz, Dr. Michael Schäfer
> ________________________________
>   Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten.
> Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts,
> eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt.
> Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank.
> ________________________________
>   This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information.
> If you have received this e-mail in error, you are hereby notified that any review,
> copying, or distribution of it is strictly prohibited.
> Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.
> ________________________________
>
> [https://www.actaport.de/images/doksafe_mailclosing_actaport.jpg]<https://www.actaport.de?utm_source=email&utm_medium=mail_disclaimer&utm_campaign=mail_disclaimer_actaport18>
>
> Kanzleisoftware für moderne Anwälte
> Kostenlos testen unter www.actaport.de<https://www.actaport.de?utm_source=email&utm_medium=mail_disclaimer&utm_campaign=mail_disclaimer_actaport18>
>
> ________________________________
> [https://www.actaport.de/images/doksafe_logo_200.png]
>
> dokSAFE GmbH
> Goethestraße 1
> 04109 Leipzig
> www.doksafe.de<https://www.doksafe.de?utm_source=email&utm_medium=mail_disclaimer&utm_campaign=mail_disclaimer_actaport18>
>
> ________________________________
> Sitz der Gesellschaft: Goethestraße 1, 04109 Leipzig
> Amtsgericht Leipzig HRB 32536, Geschäftsführer Steffen Scholz, Dr. Michael Schäfer
> ________________________________
>   Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten.
> Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts,
> eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt.
> Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank.
> ________________________________
>   This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information.
> If you have received this e-mail in error, you are hereby notified that any review,
> copying, or distribution of it is strictly prohibited.
> Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list