[keycloak-user] Fine-grained permissions to map a client role to a group

[Leistert Christoph (INST/ECS2)]

Hello,
We use Keycloak 3.4.3 and we trying to find out a way to let users create clients with a client role and map this client role to a group they are already a member of.
For the client creation and client role creation we assigned the realm role "manage-clients" to the users and this is okay for our setup. Additionally the users are assigned to the "query-groups" realm role, so that they could see the groups.
We struggle a bit with the right role/permissions setup to map the client role to a group.
First, we tried to use realm roles only. However, for mapping a role to a group the "manage-users" role is needed, which allows the user also to e.g. see all users. This should not be possible for these users.
Now we try to use fine-grained permissions to realize our scenario. But for the group entity there are no fine-grained permissions and the "map-role" permission of the "Users" resource does not allow to map a role to a group (403 Forbidden).
Is there any other way than using the "manage-users" realm role to map a client role to a group?
Is it planned to add fine-grained permissions for a "Groups" resource?

Mit freundlichen Grüßen / Best regards

Christoph Leistert

(INST/ECS2)
Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch-si.com<http://www.bosch-si.com>

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn