[keycloak-user] Implementing a global admin role
Stefan Hesse
lists at stefan-hesse.net
Fri Jul 6 10:00:09 EDT 2018
Hello,
I am trying to implement some kind of global admin role that grants
access rights to all scopes within a resource.
What I did is the following:
- Defined a permission with a group policy on the resource (Admin)
- Defined a permission with a user policy on one specific scope e.g.
view. (normal user)
The problem that arises is, while evaluating the polices, the global
group policy always overwrites the decision from the group policy.
Therefore the user will always be denied access, even though one
permission grants access.
Can I change this behavior to make the accumulated result "PERMIT"
instead of "DENY"?
Best Regards
Stefan
More information about the keycloak-user
mailing list