Re: [keycloak-user] 403 Forbidden error when trying to access realm admin console in 4.7.0

I think you should open a bug report. I agree with you that it does not make sense to expose those other config settings (even if limited to read-only.) Post the ticket here and I'll vote for it. On Mon, 24 Dec 2018 at 17:14, Mandy Fung <mandy.fung(a)tasktop.com&gt; wrote: > Thanks for the reply! This indeed allowed the user to access the realm > console. However, this also exposed other configurations that we do not > wish the admin users to see such as configuring the Realm Settings, Roles, > User Federation, and Authentication. > > Is there another configuration that would allow the user to access the > admin console and only expose the manage groups and users tab? > > Thanks again, > Mandy > > On Sat, Dec 22, 2018 at 2:00 PM Geoffrey Cleaves <geoff(a)opticks.io&gt; > wrote: > >> When I was messing with granular permissions recently I had to give the >> view-realm role in order to log into the Admin Console. >> >> On Fri, Dec 21, 2018, 19:29 Mandy Fung <mandy.fung(a)tasktop.com wrote: >> >>> Hello, >>> >>> We've recently upgraded from 4.5.0 to 4.7.0 and users can no longer >>> access >>> the dedicated realm admin console (/auth/admin/{realm}/console) with the >>> same realm-management roles that they had in 4.5.0. >>> >>> We only want our admin users to manage users and groups and in 4.5.0 we >>> were able to assign the following roles to our admin users such that >>> only >>> the "Manage > Groups" and "Manage > Users" tab show up in the realm >>> admin >>> console: 'manage-users', 'query-groups', 'query-users', and >>> 'view-users'. >>> >>> However, with the new upgrade to 4.7.0 these admin users with the same >>> realm-management roles assigned can no longer access the realm admin >>> console and they see a 403 Forbidden error page. >>> >>> Has anyone run into this issue recently or if there are some new realm >>> management roles added in 4.7.0 that we need to re-configure? >>> >>> Best regards, >>> Mandy >>> >>> -- >>> >>> >>> *Mandy Fung **|* Software Engineer 1 *| *Tasktop >>> >>> *email: *mandy.fung(a)tasktop.com >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > > -- > > > *Mandy Fung **|* Software Engineer 1 *| *Tasktop > > *email: *mandy.fung(a)tasktop.com > -- Regards, Geoffrey Cleaves