[keycloak-user] Testing realm-mangement fine grain access control

M Foster fostdev at gmail.com
Thu Sep 12 16:59:05 EDT 2019 

Ah, I figured it out. I also had to enable Permissions for the entire User
base under Users > Permissions, then click "manage-group-membership". This
created the mange-group-membership.permission.users permission in
realm-management, to which I applied the admin user policy. Now the "Join"
button appears and I can add a user to the group I configured earlier.

Not the easiest of procedures.

On Wed, Sep 11, 2019 at 8:01 PM M Foster <fostdev at gmail.com> wrote:

> Hello,
>
> I am testing Keycloak for deployment and one of the scenarios for adoption
> is the ability for some users to manage their own group membership. I've
> read through the Server Admin guide and it says that this functionality
> only available in a Technical Preview state.
>
> I've enabled the tech preview mode and have enabled Permissions for a
> group and now see the default scope names that appear under Groups >
> testgroup > Permissions (view, manage, view-membership, view-members,
> manage-members, manage-membership), which are part of the realm-management
> Authorization section. This also creates a group resource
> "group.resource.<goup_UUID>. I've created a User Policy for a single user
> and then attached that policy to the Keycloak created permission
> "manage.membership.permission.group.<group_UUID>" as well as the
> "group.resource.<group_UUID>. I've also assigned this test admin user the
> query-groups, query-users, and view-users realm-management client role, so
> in theory if this user logs into the realm admin console, they should see
> Groups and Users and be able to select a user and join them to the group in
> the realm on which I enabled permssions and set the policy.
>
> This all works, except the last bit: the "join" button is not visible in
> the group tab of a user that I'd like to add to my test group.
> Additionally, I can't manage the settings of any of the users. I have all
> six permissions assigned to that User Policy, but still no go. Any ideas
> what piece I'm missing?
>
> Thanks.
>

More information about the keycloak-user mailing list