[keycloak-user] Admin console: Custom roles
Pavel Micka
Pavel.Micka at zoomint.com
Thu Sep 26 09:43:49 EDT 2019
Hi,
We hit the following issue: in our system, we need to have users, who are allowed to manage users, but not to delete them from the system (they may just disable them, so we still have the user object available for other parts of the system).
The issue is that Keycloak does not have a role for this particular task - whoever has manage-users, can also perform the delete. Is there any way to extend the default KC behavior and add a role requirement for the given REST endpoint? Our idea was to introduce a role delete-users, that will be required for this operation (either as a replacement for manage users for this endpoint, or as additional pre-requisite).
Or is there some other way to achieve this?
Thanks,
Pavel
We also looked at fine-grained permissions, but those do not seem to support this scenario.
More information about the keycloak-user
mailing list