[keycloak-user] realm-management policies not affecting admin-console

Pedro Igor Silva psilva at redhat.com
Mon Jul 9 07:50:38 EDT 2018


Hi,

If you assign *query-users* role to "new_support_group", make the user a
member of "new_support_group", enable permissions to "new_user_group" and
configure the "manage" permission, you should be able to restrict the users
that the user is allowed to see.

Regards.
Pedro Igor

On Mon, Jul 9, 2018 at 8:13 AM, Nils Wild <nils.wild at sinnovate.de> wrote:

> Hi,
>
> i think i got somthing wrong how policies are supposed to work in
> Keycloak 4.1.0.Final
>
> I tried to configure a support group that has access to a certain group
> of customers but not all so i created a new_user_group and a
> support_group (this group has real-management roles to view and manage
> users so i can see those admin-console menus) and added policies, such
> that the support_group can only see and manage that group and users of
> that new_user_group but not those of old_user_group. Unfortunatly after
> logging in with a user of support_group i can see all users and groups
> not only those of the new_user_group when clicking "view all users".
>
> I already used the Authorization Evaluator of the realm-management
> client. The funny thing is that if i choose the new user of the
> support_group and the old_user_group resource with view scope it
> correctly determines that access should be denied.
>
> Am I missing something? Maybe the problem is that the new_support_group
> does have realm-management roles like view-users? But if i remove those
> roles i am not able to see any menu.
>
> Nils
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list