[keycloak-user] User cannot assign client Role to user with just

Pedro Igor Silva psilva at redhat.com
Wed Sep 11 16:58:29 EDT 2019 

I think your expectation makes sense. But that is how it is implemented
today. I would ask you for creating a JIRA so we can track this.

We have quite a few RFEs and issues for fine-grained that we would like to
address in the future. We also want a complete review of the functionality
based on all the feedback we had during the lifetime of this feature.

Regards.
Pedro Igor

On Wed, Sep 11, 2019 at 4:40 PM robrecht anrijs <robrecht.anrijs at gmail.com>
wrote:

> Sebastian,
>
> Thx for the quick response, I've tried it, indeed, it's better. Only that
> client is visible now.
>
> But I would expect, that I don't have to give access to the whole client.
> When using fine-grained permissions I have to add my user-policy to the
> view-scope permission of the specific client. Only then the user can add a
> client-role to a user or group.
> I would expect that the map-roles scope would be sufficient?
>
> Regards,
> Robrecht
>
> Op wo 11 sep. 2019 om 15:52 schreef Schuster Sebastian (INST-CSS/BSV-OS2) <
> Sebastian.Schuster at bosch-si.com>:
>
> > Hi Robrecht,
> >
> > That’s exactly how we do it, give the user query-clients and fine-grained
> > permissions on every client he is allowed to see.
> >
> > Best regards,
> > Sebastian
> >
> > Mit freundlichen Grüßen / Best regards
> >
> > Dr.-Ing. Sebastian Schuster
> >
> > Open Source Services (INST-CSS/BSV-OS2)
> > Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> > GERMANY | www.bosch-si.com
> > Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Fax +49 30 726112-100 |
> > Sebastian.Schuster at bosch-si.com
> >
> > Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> > Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> > Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic
> >
> >
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: keycloak-user-bounces at lists.jboss.org <
> > keycloak-user-bounces at lists.jboss.org> Im Auftrag von robrecht anrijs
> > Gesendet: Mittwoch, 11. September 2019 13:43
> > An: keycloak-user at lists.jboss.org
> > Betreff: [keycloak-user] User cannot assign client Role to user with just
> >
> > Hi keycloak users,
> >
> > We recently upgraded from keycloak 3.4.3 to 6.0.1, and noticed that a
> user
> > with the roles 'manage-users' and 'view-users' on the client
> > 'realm-management' cannot see the list of client roles any more. Because
> of
> > that, the user cannot assing a specific client role to a group or a user.
> >
> > Screenshot:
> > I[image: image.png]
> > Is this a bug? Or is expected behaviour?
> >
> > As a workaround I added the role 'view-clients' to that user, but now the
> > users sees to much. I only want to configure that user, so he can manage
> > the roles for users & groups. Do I need to enahble the fine-grained
> > permissions for that (
> > https://www.keycloak.org/docs/6.0/server_admin/#_fine_grain_permissions)
> >
> > Thx for the answers,
> >
> > Kind regards,
> > Robrecht
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list