[keycloak-user] how to create a user with restricted manager-user rights/role for a group
Madhu
kkcmadhu at yahoo.com
Tue Sep 18 01:57:18 EDT 2018
Hi,
I need to create a group in master realm, where any user in this group can do manage-users for any other user belong to the group. users in this group will not be able to manage any other user (example the master realm's admin user).
I need this kind of facility to work around the issue of every growing access token mentioned in https://issues.jboss.org/browse/KEYCLOAK-1268
My idea is to have a seperate group in master realm who will have view-users, create-realm and manage-user permissions. (but they should be able to manage other co users in this group alone).Once a new realm is created, the user who created becomes the default admin in the newly provisioned realm, after creating the realm the logged in user will appoint a new user (beloning to the new realm) as the admin and relinquish his own rights to be the admin of the new realm.. (thus, keeping his own auth token size at bay)...
But since the user who created the realm belongs to mater realm and has manage-user access, i would like to ensure that this user does not inadvently/or intentionally mess up the master realm's admin users access.
Can some one guide on how to setup a group which has restricted manage-user access (i.e. perform manage users for group members alone)..
Regards,Madhu
More information about the keycloak-user
mailing list