1:42 p.m.
According to
https://www.keycloak.org/docs/latest/server_admin/index.html#global-roles
there are two global roles, admin and create-realm, but we would like to add
a third one, call it reporting, that has read-only access to all settings in
every realm (so all of the view- and query- permissions).
We can create the role as a composite with permissions over every realm, but
if a new realm is added later, the reporting role has no access unless we
explicitly grant it.
Is it possible for us to add a global role by creating a new realm role in
the master realm, and giving it a particular configuration and/or set of
permissions?
Thanks!
Regards,
Peter K. Boucher
1:50 p.m.
Apologies if this is a duplicate.
From: pkboucher801(a)gmail.com [mailto:pkboucher801@gmail.com]
Sent: Monday, July 16, 2018 2:42 PM
To: keycloak-user(a)lists.jboss.org
Subject: Global "reporting" role like admin but with read-only access to
everything?
According to
https://www.keycloak.org/docs/latest/server_admin/index.html#global-roles
there are two global roles, admin and create-realm, but we would like to add
a third one, call it reporting, that has read-only access to all settings in
every realm (so all of the view- and query- permissions).
We can create the role as a composite with permissions over every realm, but
if a new realm is added later, the reporting role has no access unless we
explicitly grant it.
Is it possible for us to add a global role by creating a new realm role in
the master realm, and giving it a particular configuration and/or set of
permissions?
Thanks!
Regards,
Peter K. Boucher
6:32 p.m.
Hi Peter, sorry for not having replied to your first posting,
AFAIK currently you cannot configure a role in a way that it is automatically granted
access to every realm, including newly created ones.
You may ask: "but look, that's exactly how the global admin role works!" -
that's true, but the global admin role has some special handling that is invoked every
time a realm is created (see org.keycloak.services.managers.RealmManager::createRealm)
Good news is that you can have the same behavior for your role, at a reasonably low price
of creating and deploying a simple Keycloak extension.
Look how it's done in BeerCloak:
https://github.com/dteleguin/beercloak/blob/master/beercloak-module/src/m...
In a few words: BeerCloak registers a listener for the RealmPostCreateEvent, and when it
arrives, adds two client roles to the global "admin" role.
In your case, you'll be adding all "view-*" and "query-*" roles
(belonging to the "<new_realm>-realm" client) to your
"reporting" role.
Good luck and feel free to ask any questions on BeerCloak,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info@acutus.pro
On Mon, 2018-07-16 at 14:42 -0400, pkboucher801(a)gmail.com wrote:
According to
https://www.keycloak.org/docs/latest/server_admin/index.html#global-roles
there are two global roles, admin and create-realm, but we would like to add
a third one, call it reporting, that has read-only access to all settings in
every realm (so all of the view- and query- permissions).
We can create the role as a composite with permissions over every realm, but
if a new realm is added later, the reporting role has no access unless we
explicitly grant it.
Is it possible for us to add a global role by creating a new realm role in
the master realm, and giving it a particular configuration and/or set of
permissions?
Thanks!
Regards,
Peter K. Boucher
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2302
days inactive
2302
days old
2 comments
2 participants
participants (2)
-
Dmitry Telegin -
pkboucher801@gmail.com