1:43 p.m.
Hi keycloak users,
We recently upgraded from keycloak 3.4.3 to 6.0.1, and noticed that a user
with the roles 'manage-users' and 'view-users' on the client
'realm-management' cannot see the list of client roles any more. Because of
that, the user cannot assing a specific client role to a group or a user.
Screenshot:
I[image: image.png]
Is this a bug? Or is expected behaviour?
As a workaround I added the role 'view-clients' to that user, but now the
users sees to much. I only want to configure that user, so he can manage
the roles for users & groups. Do I need to enahble the fine-grained
permissions for that (
https://www.keycloak.org/docs/6.0/server_admin/#_fine_grain_permissions)
Thx for the answers,
Kind regards,
Robrecht
3:52 p.m.
Hi Robrecht,
That’s exactly how we do it, give the user query-clients and fine-grained permissions on
every client he is allowed to see.
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Open Source Services (INST-CSS/BSV-OS2)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY |
www.bosch-si.com
Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Fax +49 30 726112-100 |
Sebastian.Schuster(a)bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,
Michael Hahn, Dr. Aleksandar Mitrovic
-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
Im Auftrag von robrecht anrijs
Gesendet: Mittwoch, 11. September 2019 13:43
An: keycloak-user(a)lists.jboss.org
Betreff: [keycloak-user] User cannot assign client Role to user with just
Hi keycloak users,
We recently upgraded from keycloak 3.4.3 to 6.0.1, and noticed that a user with the roles
'manage-users' and 'view-users' on the client 'realm-management'
cannot see the list of client roles any more. Because of that, the user cannot assing a
specific client role to a group or a user.
Screenshot:
I[image: image.png]
Is this a bug? Or is expected behaviour?
As a workaround I added the role 'view-clients' to that user, but now the users
sees to much. I only want to configure that user, so he can manage the roles for users
& groups. Do I need to enahble the fine-grained permissions for that (
https://www.keycloak.org/docs/6.0/server_admin/#_fine_grain_permissions)
Thx for the answers,
Kind regards,
Robrecht
9:37 p.m.
Sebastian,
Thx for the quick response, I've tried it, indeed, it's better. Only that
client is visible now.
But I would expect, that I don't have to give access to the whole client.
When using fine-grained permissions I have to add my user-policy to the
view-scope permission of the specific client. Only then the user can add a
client-role to a user or group.
I would expect that the map-roles scope would be sufficient?
Regards,
Robrecht
Op wo 11 sep. 2019 om 15:52 schreef Schuster Sebastian (INST-CSS/BSV-OS2) <
Sebastian.Schuster(a)bosch-si.com>:
Hi Robrecht,
That’s exactly how we do it, give the user query-clients and fine-grained
permissions on every client he is allowed to see.
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Open Source Services (INST-CSS/BSV-OS2)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Fax +49 30 726112-100 |
Sebastian.Schuster(a)bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic
-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces(a)lists.jboss.org <
keycloak-user-bounces(a)lists.jboss.org> Im Auftrag von robrecht anrijs
Gesendet: Mittwoch, 11. September 2019 13:43
An: keycloak-user(a)lists.jboss.org
Betreff: [keycloak-user] User cannot assign client Role to user with just
Hi keycloak users,
We recently upgraded from keycloak 3.4.3 to 6.0.1, and noticed that a user
with the roles 'manage-users' and 'view-users' on the client
'realm-management' cannot see the list of client roles any more. Because of
that, the user cannot assing a specific client role to a group or a user.
Screenshot:
I[image: image.png]
Is this a bug? Or is expected behaviour?
As a workaround I added the role 'view-clients' to that user, but now the
users sees to much. I only want to configure that user, so he can manage
the roles for users & groups. Do I need to enahble the fine-grained
permissions for that (
https://www.keycloak.org/docs/6.0/server_admin/#_fine_grain_permissions)
Thx for the answers,
Kind regards,
Robrecht
10:58 p.m.
I think your expectation makes sense. But that is how it is implemented
today. I would ask you for creating a JIRA so we can track this.
We have quite a few RFEs and issues for fine-grained that we would like to
address in the future. We also want a complete review of the functionality
based on all the feedback we had during the lifetime of this feature.
Regards.
Pedro Igor
On Wed, Sep 11, 2019 at 4:40 PM robrecht anrijs <robrecht.anrijs(a)gmail.com>
wrote:
Sebastian,
Thx for the quick response, I've tried it, indeed, it's better. Only that
client is visible now.
But I would expect, that I don't have to give access to the whole client.
When using fine-grained permissions I have to add my user-policy to the
view-scope permission of the specific client. Only then the user can add a
client-role to a user or group.
I would expect that the map-roles scope would be sufficient?
Regards,
Robrecht
Op wo 11 sep. 2019 om 15:52 schreef Schuster Sebastian (INST-CSS/BSV-OS2) <
Sebastian.Schuster(a)bosch-si.com>:
> Hi Robrecht,
>
> That’s exactly how we do it, give the user query-clients and fine-grained
> permissions on every client he is allowed to see.
>
> Best regards,
> Sebastian
>
> Mit freundlichen Grüßen / Best regards
>
> Dr.-Ing. Sebastian Schuster
>
> Open Source Services (INST-CSS/BSV-OS2)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY | www.bosch-si.com
> Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Fax +49 30 726112-100 |
> Sebastian.Schuster(a)bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: keycloak-user-bounces(a)lists.jboss.org <
> keycloak-user-bounces(a)lists.jboss.org> Im Auftrag von robrecht anrijs
> Gesendet: Mittwoch, 11. September 2019 13:43
> An: keycloak-user(a)lists.jboss.org
> Betreff: [keycloak-user] User cannot assign client Role to user with just
>
> Hi keycloak users,
>
> We recently upgraded from keycloak 3.4.3 to 6.0.1, and noticed that a
user
> with the roles 'manage-users' and 'view-users' on the client
> 'realm-management' cannot see the list of client roles any more. Because
of
> that, the user cannot assing a specific client role to a group or a user.
>
> Screenshot:
> I[image: image.png]
> Is this a bug? Or is expected behaviour?
>
> As a workaround I added the role 'view-clients' to that user, but now the
> users sees to much. I only want to configure that user, so he can manage
> the roles for users & groups. Do I need to enahble the fine-grained
> permissions for that (
> https://www.keycloak.org/docs/6.0/server_admin/#_fine_grain_permissions)
>
> Thx for the answers,
>
> Kind regards,
> Robrecht
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1962
days inactive
1962
days old
3 comments
3 participants
participants (3)
-
Pedro Igor Silva -
robrecht anrijs -
Schuster Sebastian (INST-CSS/BSV-OS2)