Re: [keycloak-user] Fine-grained permissions to map a client role to a group

Hello, We use Keycloak 3.4.3 and we trying to find out a way to let users create clients with a client role and map this client role to a group they are already a member of. For the client creation and client role creation we assigned the realm role "manage-clients" to the users and this is okay for our setup. Additionally the users are assigned to the "query-groups" realm role, so that they could see the groups. We struggle a bit with the right role/permissions setup to map the client role to a group. First, we tried to use realm roles only. However, for mapping a role to a group the "manage-users" role is needed, which allows the user also to e.g. see all users. This should not be possible for these users. Now we try to use fine-grained permissions to realize our scenario. But for the group entity there are no fine-grained permissions and the "map-role" permission of the "Users" resource does not allow to map a role to a group (403 Forbidden). Is there any other way than using the "manage-users" realm role to map a client role to a group? Is it planned to add fine-grained permissions for a "Groups" resource? Mit freundlichen Grüßen / Best regards Christoph Leistert (INST/ECS2) Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch-si.com<http://www.bosch-si.com> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user