[keycloak-user] Fine-grained permissions to map a client role to a group

Pedro Igor Silva psilva at redhat.com
Fri Jun 22 14:05:22 EDT 2018 

Hi,

We do support fine-grained permissions for Groups. But I think your problem
is related to the fact that there is no specific permission for mapping
role to a group. Is that correct?

Regarding the "manage-users" role, this is the role that grants access to
groups. As well "view-users".

Regards.
Pedro Igor

On Thu, Jun 14, 2018 at 7:41 AM, Leistert Christoph (INST/ECS2) <
Christoph.Leistert at bosch-si.com> wrote:

> Hello,
> We use Keycloak 3.4.3 and we trying to find out a way to let users create
> clients with a client role and map this client role to a group they are
> already a member of.
> For the client creation and client role creation we assigned the realm
> role "manage-clients" to the users and this is okay for our setup.
> Additionally the users are assigned to the "query-groups" realm role, so
> that they could see the groups.
> We struggle a bit with the right role/permissions setup to map the client
> role to a group.
> First, we tried to use realm roles only. However, for mapping a role to a
> group the "manage-users" role is needed, which allows the user also to e.g.
> see all users. This should not be possible for these users.
> Now we try to use fine-grained permissions to realize our scenario. But
> for the group entity there are no fine-grained permissions and the
> "map-role" permission of the "Users" resource does not allow to map a role
> to a group (403 Forbidden).
> Is there any other way than using the "manage-users" realm role to map a
> client role to a group?
> Is it planned to add fine-grained permissions for a "Groups" resource?
>
> Mit freundlichen Grüßen / Best regards
>
> Christoph Leistert
>
> (INST/ECS2)
> Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY
> | www.bosch-si.com<http://www.bosch-si.com>
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> Stefan Ferber, Michael Hahn
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list