Re: [keycloak-user] View-users permissions only view some users

Thank you Dmitri, This definitely helps. Now my users are coming from an SPI I wrote, guided by the user-storage-jpa-example in KC's repository. I have data in my users I want to use in order to create the group and manage visibility & impersonation. However I can't find how to add users in groups and created these groups through the SPI. I do well see the methods "UserQueryProvider.getGroupMembers" but I have no clue on how to create groups and what the implementation of this methods should do :-/ Is there any example I can get inspiration of where groups are driven by an external source ? Kind regards, -----Message d'origine----- De : Dmitry Telegin <dt(a)acutus.pro&gt; Envoyé : mardi 10 juillet 2018 12:42 À : Nicolas Gillet <nicolas.gillet(a)market-ip.com>; keycloak-user(a)lists.jboss.org Objet : Re: [keycloak-user] View-users permissions only view some users Hi Nicolas, You could try the following: - put your users into a group; - create another user; - grant this user "query-groups" and "impersonation" roles (from the "realm-management" or "master-realm" client, depending on the realm); - go to your group, enable permissions, open "view" permission, add a user policy to allow the user to view group, then repeat for "view- members" permission. Now your newly added admin user will be restricted to the contents of the group. He won't be able to view/impersonate other users, even if he knows the user's internal ID. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro On Fri, 2018-07-06 at 09:10 +0000, Nicolas Gillet wrote: