[keycloak-user] Realm admins that can only create users (but not list/query them)
Rafael Weingärtner
rafaelweingartner at gmail.com
Tue Mar 12 12:19:24 EDT 2019
Hello Keycloakers,
I was wondering, is it possible to create a policy to authorize certain
users to create other users, but not list the users that we already have in
the realm?
I know that I can control the groups listed for user-group management for
certain realm admins, but we want/need something different. We need to
allow specific users to add new users and assign them to groups (some
restricted groups). Ideally, they should be able to manage all users in its
own group as well.
Is something like this possible? I am reading about authorization scopes,
and authorization service, but I am kind of lost on how to manage scope and
policies to keycloak actions (create/delete/update/list
resources[users/clients/groups]).
--
Rafael Weingärtner
More information about the keycloak-user
mailing list