Re: [keycloak-user] Doubts regarding fine grained permission on groups

That is some to discuss. Right now, I think that group admins can delete *and* create users. IIRC, the issue here is that the "create" button is only shown if you have the "manage-users" role which conflicts with the permissioning model provided by the fine-grained admin permissions. On Fri, Apr 5, 2019 at 9:48 AM Rafael Weingärtner < rafaelweingartner(a)gmail.com&gt; wrote: > Thanks for the feedback Pedro! > Sure, I will do that. However, just to make sure I understood. The > ability to delete users accounts for the "group admin" users is considered > a bug, and will be removed/addressed in the upcoming release. Is that > correct? > > On Fri, Apr 5, 2019 at 9:45 AM Pedro Igor Silva <psilva(a)redhat.com&gt; > wrote: > >> Hi Rafael, >> >> Yeah, this is how it was implement. I understand your point and this is >> one of the things that we need to review in regards to fine-grained >> permissions in admin console. >> >> We have a few open JIRAs that we are looking forward to work in the >> future. Could you please file a new JIRA for this problem in particular ? >> >> Regards. >> Pedro Igor >> >> >> On Fri, Apr 5, 2019 at 9:28 AM Rafael Weingärtner < >> rafaelweingartner(a)gmail.com&gt; wrote: >> >>> Hello volks, >>> Any takers here? it would be very helpful to have feedback regarding the >>> intended design before checking the code to confirm these features. >>> >>> On Wed, Apr 3, 2019 at 9:49 AM Rafael Weingärtner < >>> rafaelweingartner(a)gmail.com&gt; wrote: >>> >>> > Hello Keycloak community, >>> > We seem to have stumbled across a feature that we do not fully >>> understand >>> > (after reading and re-reading, and testing). Could somebody help to >>> clarify >>> > the design of this feature? >>> > >>> > When enabling fine grained group permissions, we see the option to >>> assign >>> > the scope "manage" to users in specific groups. According to our >>> > understand, this scope would allow us to create the "role" of users >>> > ("group-admins") to manage (update user information, reset >>> credentials, >>> > enable/disable) other users in the same group; users with this "role" >>> would >>> > also not be able to see the other users in the realm that are not >>> assigned >>> > to the group where they have this special permissions. Therefore, the >>> > actions of creating and removing users would still be restricted to >>> the >>> > manage-users permission that can be set to "user-managers" in the >>> whole >>> > realm. >>> > >>> > During our tests, we noticed the the users that receive the "manage" >>> scope >>> > permission in a group are able to delete users of the group. Is this >>> the >>> > expected behavior? After noticing this, we also thought that they >>> would >>> > then be able to create users in the group (if they can remove, why not >>> > enabling them to create as well?); however, these users are not able >>> to >>> > create other users in the group that they have permission to manage >>> (even >>> > when assigning explicitly the group to the user being created). Is >>> this a >>> > bug? Or something that is not completely documented? >>> > >>> > -- >>> > Rafael Weingärtner >>> > >>> >>> >>> -- >>> Rafael Weingärtner >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > -- > Rafael Weingärtner >