[keycloak-user] Remove permission to manage realm (but keep managing roles)

Pavel Micka Pavel.Micka at zoomint.com
Wed Mar 6 04:48:35 EST 2019 

Hi,

I tried that yesterday. The issue with fine grained permissions is that is an alpha feature... and we have not been able to make it fully working with role -> user assignments. 
I had there policy to allow assignment once the time is > 2020-01-01, but the assignments (role->user) were granted successfuly. On the other hand the same policy worked flawlesly for assigments of roles to composite roles (forbidden). So I suppose that this alpha feature still has some glitches...

Also as the fine grained permissions are extension to the standard permissions in Keycloak, so they can be used only to restrict the existing (top level) permissions. 
But afaik there is no fine grained permission for realm settings (https://www.keycloak.org/docs/latest/server_admin/index.html#full-list-of-permissions), hence you can't grant realm_settings + roles on the top level and use fine grained permission to narrow the permissions to roles only.

Best regards,

Pavel


-----Original Message-----
From: Vlasta Ramik <vramik at redhat.com> 
Sent: Wednesday, March 6, 2019 10:00 AM
To: Pavel Micka <Pavel.Micka at zoomint.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Remove permission to manage realm (but keep managing roles)

... and there is the link: 
https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions

On 3/6/19 9:53 AM, Vlasta Ramik wrote:
> Hey Pavel,
>
> it seems you need role based access control, there is link [1] where 
> Fine grain permissions described, it may help you.
>
> [1]
>
> V.
>
> On 3/5/19 9:47 PM, Pavel Micka wrote:
>> Hi,
>>
>>
>> Is it somehow possible to remove from user the permission to manage realm itself (example: client registration, tokens) but keep for the user role management in place (so he can create composite roles)?
>>
>>
>> If it is possible with fine grained permissions, can you please send me howto, because I am unable to set it up (using docs)...
>>
>>
>> Thanks for help,
>>
>>
>> Pavel
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list