Hi Pedro,
Regarding enabling authz on security-admin-console. This won't
work
because we also need changes to admin console/apis to enforce
permission. I've replied to another thread about fine-grained
permissions in admin console and rest apis.
Could you please point to the message? this is of big interest for me,
thx
We are still using roles and we also lack specific permissions for
some parts of admin console/apis. That is something we are planing to
review and improve in the future.
Good to hear that. Seems like this should be a popular feature, since
only for the last couple of weeks the guys have asked for help with
similar problems. See the message from Waldemar [1], he is looking for
a way to selectively allow a user access to roles without granting the
"manage-realm" role. Any ideas? I've yet come up with either creating a
custom REST endpoint, or introducing "{view,manage}-roles" in Keycloak
and waiting for next release...
Cheers,
Dmitry
[1]
http://lists.jboss.org/pipermail/keycloak-user/2018-June/014307.htm
l
> > As far as i read the documentation, the recommendation seems to
> be to
> > customize rest endpoints are not deploy them at all..
>
> Not sure if I got it right ("not to deploy them at all"), could you
> point to the docs please?
>
> Dmitry
>
> >
> > On Monday, 2 July, 2018, 4:08:27 PM IST, Dmitry Telegin <dt@acutu
> s.pr
> > o> wrote:
> >
> >
> > Madhu,
> >
> > I think that initially this was supposed to work without "manage-
> > realm" role. If you grant a user "manage-identity-providers"
role
> > only, you'll see a perfect picture in the GUI: just the "Identity
> > providers" section, and nothing more. However if you try to
> actually
> > add a provider, you'll get a 403 Forbidden upon a request to
> > /auth/admin/realms/$REALM/authentication/flows endpoint.
> >
> > To render the identity provider creation form, the GUI indeed
> needs
> > to retrieve a list of authentication flows for the realm.
> > Unfortunately, in the REST resource it is hardcoded that the user
> > needs to be checked for "view-realm" role (see
> >
> org.keycloak.services.resources.admin.AuthenticationManagementResou
> rc
> > e::getFlows).
> >
> > I think this is a perfect candidate for RFE, since "view-realm"
> is
> > indeed too wide for the flows endpoint. I'd suggest that the
> > restriction be changed to "view-realm OR manage-identity-
> providers".
> > You can create a JIRA issue for that, and at the moment resort to
> one
> > of the workarounds:
> > - fix AuthenticationManagementResource::getFlows yourself and
> > recompile Keycloak (easier to do, but harder to maintain);
> > - create a custom REST endpoint for flows with relaxed
> permissions,
> > then create a custom GUI theme to use that endpoint instead of
> the
> > standard one.
> >
> > Please note that granting manage-realm + manage-identity-
> providers
> > and tweaking the GUI theme to exclude unwanted elements is
> generally
> > a bad idea, since a rogue user will still be able to directly
> invoke
> > REST endpoints to do some nasty stuff.
> >
> > I'm not sure if authorization / fine-grained permissions are
> relevant
> > here, but let's see what Pedro Igor says on that.
> >
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> >
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > + 42 (022) 888-30-71
> > E-mail: info@acutus.pro
> >
> > On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
> > > Hi ,
> > > I want to disable client, Realm management, Authentication and
> > > Roles and want to create a user who will be able to provide
> only
> > > Identity provider/broker integration.
> > > I understand user needs to be in manage-identity-providers and
> > > manage-realm for doing this activity. But with manage realm
> user
> > > also has access to role creation,authenciation and realm
> setting
> > > tabs. Any way to disable these, without going for customized
> themes
> > > or changing the FTL?
> > > I am looking for authorization model based solution.
> > > Regards,Madhu
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > >
https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>