Hi Thomas,
I think this should work. You will just have to enable permissions for the groups /corp,
/branchX, /divisionX and create matching policies and assign the scopes view-members and
manage-members.
If a user is a member of one of the subgroups, the permissions defined on the parent
groups still kick in.
You just need to be aware that listing all users does not work as expected, see
https://issues.jboss.org/browse/KEYCLOAK-7950. If you navigate via the groups, you should
be fine...
I am just not sure what you mean by "admin console scoped to a fixed realm". All
of this only works on the same realm, other realms are completely separate things...
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY |
www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,
Michael Hahn
-----Original Message-----
From: keycloak-dev-bounces(a)lists.jboss.org <keycloak-dev-bounces(a)lists.jboss.org> On
Behalf Of Thomas Darimont
Sent: Dienstag, 14. August 2018 20:58
To: keycloak-dev <keycloak-dev(a)lists.jboss.org>; keycloak-user
<keycloak-user(a)lists.jboss.org>
Subject: [keycloak-dev] Fine-grained permissions along hierarchy paths
Hello,
I have a realm with nested groups that denotes a hierarchical corporate structure.
/corp
-/org
--/branch1
---/divsion1
----/team1
----/team2
---/divsion2
----/team3
----/team4
--/branch2
-/infra
...
Users belong to one particular group along the /corp/org subtree, but might also be
members of one or more groups from a different subtree, e.g., /corp/infra.
Is it possible to have dedicated admin users at /corp, /branchX, /divisionX level who can
only view and manage the users from their group or subtree with an admin-console scoped to
a fixed realm?
admin-console scoped to group-hierarchy-demo realm:
http://localhost:8080/auth/admin/group-hierarchy-demo/console/#/realms/gr...
If a user logs in as divsion1-admin-user, he should only be able to see and manage the
users beneath the path (/corp/org/branch1/division1/*).
Does the fine-grained permission system already support use cases like this?
Cheers,
Thomas
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev