Re: [keycloak-user] Roles for User Management

Hi all, I'm trying to use KC for a suite of multitenant webapps. Each tenant/customer has a separated realm and I use a custom Federation Provider to map users and roles to my company's legacy custom ACL database. Customers also want to manage/create users by their own, but I don't want they manage other realm stuff like Federation Provider parameters, client apps, etc, so I have to provide to some users of each realm the only roles of "manage-user"/"view-users" from the app realm-management, so they can only view the Manage User option in the realm Console. The problem is that through the console they may promote themselves assigning to existing users or to new users the role of "manage-realm" and after a simple refresh they can manage the entire realm. Is there a way to avoid this or am I wrong to do this?

One more question connected to this one: is there a way to localize also the realm console? If my customers have to manage their own users, they would read labels and messages in their own languages. Thank you very much for your time and for your great and versatile product.

Best regards --Vito _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user