<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style>body{font-family:Verdana,Arial;font-size:13px}</style>
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
Hi everyone,
<div><br>
</div>
<div>while I totally agree that any configuration of the bruteforce-detection should require the realm-management role, I’d like to raise the question if clearing failed attempts should be that restrictive.</div>
<div><br>
</div>
<div>This affects the following service endpoints:</div>
<div><br>
</div>
<div>
<div>DELETE /admin/realms/{realm}/attack-detection/brute-force/usernames/{username}</div>
<div>DELETE /admin/realms/{realm}/attack-detection/brute-force/usernames</div>
</div>
<div><br>
</div>
<div>We would like to enable callcenter agents to unlock specific users, but giving them realm-management permissions doesn't feel right. Would’t user-management be more appropriate permissions for these endpoints, or are there side effects to consider?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Gregor</div>
</body>
</html>