Hi Jeremy,
I noticed the same behaviour and it still happens in version 3.1.0.CR1. Effective Roles
are not taken into account by the Policy Evaluation Tool, only roles assigned directly to
a user.
Best regards
Bettina
-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
Im Auftrag von Jeremy Majors
Gesendet: Montag, 27. Februar 2017 22:57
An: keycloak-user(a)lists.jboss.org
Betreff: [keycloak-user] Group Level Roles Not Honored by Policy Evaluation Tool
I have setup my users to have the 'read' role by associating that role to a group
which my users have been associated with. While testing the policies for a resource using
the Policy Evaluation tool I determined that the roles associated with the groups
weren't being picked up and the user was being denied access to the resource (please
note that when I looked at the user's roles I did notice that 'read' was
listed as an effective role). When I removed one of the users from the group and directly
assigned the 'role' to the user then I was able to successfully access the
resource using the Policy Evaluation tool.
Can anyone else reproduce this issue? It's unclear whether it could be related to
KEYCLOAK-2964, which has been closed.
Thanks in advance,
Jeremy
Privileged/Confidential Information may be contained in this message. If you are not the
addressee indicated in this message (or responsible for delivery of the message to such
person), you may not copy or deliver this message to anyone. In such case, you should
destroy this message and kindly notify the sender by reply email. Please advise
immediately if you or your employer does not consent to Internet email for messages of
this kind. Opinions, conclusions and other information in this message that do not relate
to the official business of my firm shall be understood as neither given nor endorsed by
it.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user