Hello,
We use Keycloak 3.4.3 and we trying to find out a way to let users create clients with a
client role and map this client role to a group they are already a member of.
For the client creation and client role creation we assigned the realm role
"manage-clients" to the users and this is okay for our setup. Additionally the
users are assigned to the "query-groups" realm role, so that they could see the
groups.
We struggle a bit with the right role/permissions setup to map the client role to a
group.
First, we tried to use realm roles only. However, for mapping a role to a group the
"manage-users" role is needed, which allows the user also to e.g. see all users.
This should not be possible for these users.
Now we try to use fine-grained permissions to realize our scenario. But for the group
entity there are no fine-grained permissions and the "map-role" permission of
the "Users" resource does not allow to map a role to a group (403 Forbidden).
Is there any other way than using the "manage-users" realm role to map a client
role to a group?
Is it planned to add fine-grained permissions for a "Groups" resource?
Mit freundlichen Grüßen / Best regards
Christoph Leistert
(INST/ECS2)
Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY |
www.bosch-si.com<http://www.bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,
Michael Hahn