I'll log a jira
On 1/28/2016 10:21 AM, Edgar Vonk - Info.nl wrote:
Hi,
(oops, sent this to keycloak-dev mailing this by mistake earlier..)
It seems there are no client roles to view and manage groups in Keycloak? I expected to
see view-groups and manage-groups roles just like view-users and view-groups.
Our case is that we want to have ‘functional admin’ users that are allowed to manage
users and groups within their realm (and nothing else).
I have now created such a functional admin user with the following client roles in this
particular realm:
- view-events
- manage-users
- view-users
- impersonation
When I log in as this functional admin user I can manage users fine, however I cannot
manage groups. I do see the ‘Manage Groups’ menu item in the admin console but when I
click on it I get a “Forbidden. You don't have access to the requested resource.” and
in the logs we see:
4:59:19,950 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2)
RESTEASY002005: Failed executing GET /admin/realms/graydon-customers/groups:
org.keycloak.services.ForbiddenException
at org.keycloak.services.resources.admin.RealmAuth.requireView(RealmAuth.java:53)
at
org.keycloak.services.resources.admin.GroupsResource.getGroups(GroupsResource.java:72)
at sun.reflect.GeneratedMethodAccessor664.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
Is the absence of roles for viewing and managing groups a shortcoming in Keycloak? If so,
shall I create a JIRA ticket for it?
cheers
Edgar
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com