Hello All, I was running 4.1.0.Final and decided to upgrade this week to 4.8.3.Final. I'm running into an issue where we set a group up with the `manage-users` Role Mapping. In 4.1.0.Final, the members of said group were able to login and reset passwords for users successfully in the realm they are in. Now when they attempt to access the Security Admin Console under Applications in their profile, they get the following message on the user side: Forbidden You don't have access to the requested resource. All I see in the Events log: LOGIN Client: security-admin-console User: <identifier> IP Address: <local-ip> Details: auth_method: openid-connect auth_type: code response_type: code redirect_uri: /auth/admin/realm/console/ consent: no_consent_required code_id: <code-id> response_mode: fragment username: <username> CODE_TO_TOKEN Client: security-admin-console User: <identifier> Details: token_id: <token-id> grant_type: authorization_code refresh_token_type: refresh scope: openid refresh_token_id: <refresh-token-id> code_id: <code-id> client_auth_method: client-secret I've verified that they have the proper roles assigned, why isn't this working now and anyone have any help to be able to troubleshoot? Thanks in advance for any help or recommendations. :) -- *Aaron Echols*

Hi, this was an issue that was fixed in 5.0.0. You are not the first one to query this :) On Thu, Apr 4, 2019 at 8:23 PM Aaron Echols <aechols(a)bfcsaz.com&gt; wrote: > Ok, so further testing shows: > > Assigning `manage-users` Role doesn't work, assigning `manage-realm` role > does allow them to login to the Security Console, applying `manage-users` > role lets them reset passwords. This isn't a good solution though, since > they get access to settings that they shouldn't be able to access. > > Seems like the role got broken during the upgrade possibly. Is there a way > to reset or reinstall a role? > -- > *Aaron Echols* > > On Thu, Apr 4, 2019 at 4:02 PM Aaron Echols <aechols(a)bfcsaz.com&gt; wrote: > > > Hello All, > > > > I was running 4.1.0.Final and decided to upgrade this week to > 4.8.3.Final. > > I'm running into an issue where we set a group up with the > `manage-users` > > Role Mapping. In 4.1.0.Final, the members of said group were able to > login > > and reset passwords for users successfully in the realm they are in. > > > > Now when they attempt to access the Security Admin Console under > > Applications in their profile, they get the following message on the > user > > side: > > > > Forbidden > > You don't have access to the requested resource. > > > > All I see in the Events log: > > > > LOGIN > > Client: security-admin-console > > User: <identifier> > > IP Address: <local-ip> > > Details: > > auth_method: openid-connect > > auth_type: code > > response_type: code > > redirect_uri: /auth/admin/realm/console/ > > consent: no_consent_required > > code_id: <code-id> > > response_mode: fragment > > username: <username> > > > > CODE_TO_TOKEN > > Client: security-admin-console > > User: <identifier> > > Details: > > token_id: <token-id> > > grant_type: authorization_code > > refresh_token_type: refresh > > scope: openid > > refresh_token_id: <refresh-token-id> > > code_id: <code-id> > > client_auth_method: client-secret > > > > I've verified that they have the proper roles assigned, why isn't this > > working now and anyone have any help to be able to troubleshoot? > > > > Thanks in advance for any help or recommendations. :) > > -- > > *Aaron Echols* > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >

Upgrading to 5.0.0 doesn't resolve the issue. I reduced the roles on the users group to `manage-users` and its' members forbidden access on the Security Admin Console. -- *Aaron Echols* Systems Architect (IT) Benjamin Franklin Charter School | IT Email: aechols(a)bfcsaz.com Phone: (480) 677-8400 Website: http://www.bfcsaz.com IT Website: https://it.bfcsaz.com Support Email: techsupport(a)bfcsaz.com Support Portal: https://bfcs.freshservice.com/support/home Common Questions: https://bfcs.freshservice.com/support/solutions Forgot your password: https://accounts.bfcsaz.com <https://www.facebook.com/bfcsaz/> <https://twitter.com/bfcs_k12> <https://www.instagram.com/bfcs_k12> *CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, copy, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. On Fri, Apr 5, 2019 at 6:16 AM Pedro Igor Silva <psilva(a)redhat.com&gt; wrote: > Hi, this was an issue that was fixed in 5.0.0. You are not the first one > to query this :) > > On Thu, Apr 4, 2019 at 8:23 PM Aaron Echols <aechols(a)bfcsaz.com&gt; wrote: > >> Ok, so further testing shows: >> >> Assigning `manage-users` Role doesn't work, assigning `manage-realm` role >> does allow them to login to the Security Console, applying `manage-users` >> role lets them reset passwords. This isn't a good solution though, since >> they get access to settings that they shouldn't be able to access. >> >> Seems like the role got broken during the upgrade possibly. Is there a >> way >> to reset or reinstall a role? >> -- >> *Aaron Echols* >> >> On Thu, Apr 4, 2019 at 4:02 PM Aaron Echols <aechols(a)bfcsaz.com&gt; wrote: >> >> > Hello All, >> > >> > I was running 4.1.0.Final and decided to upgrade this week to >> 4.8.3.Final. >> > I'm running into an issue where we set a group up with the >> `manage-users` >> > Role Mapping. In 4.1.0.Final, the members of said group were able to >> login >> > and reset passwords for users successfully in the realm they are in. >> > >> > Now when they attempt to access the Security Admin Console under >> > Applications in their profile, they get the following message on the >> user >> > side: >> > >> > Forbidden >> > You don't have access to the requested resource. >> > >> > All I see in the Events log: >> > >> > LOGIN >> > Client: security-admin-console >> > User: <identifier> >> > IP Address: <local-ip> >> > Details: >> > auth_method: openid-connect >> > auth_type: code >> > response_type: code >> > redirect_uri: /auth/admin/realm/console/ >> > consent: no_consent_required >> > code_id: <code-id> >> > response_mode: fragment >> > username: <username> >> > >> > CODE_TO_TOKEN >> > Client: security-admin-console >> > User: <identifier> >> > Details: >> > token_id: <token-id> >> > grant_type: authorization_code >> > refresh_token_type: refresh >> > scope: openid >> > refresh_token_id: <refresh-token-id> >> > code_id: <code-id> >> > client_auth_method: client-secret >> > >> > I've verified that they have the proper roles assigned, why isn't this >> > working now and anyone have any help to be able to troubleshoot? >> > >> > Thanks in advance for any help or recommendations. :) >> > -- >> > *Aaron Echols* >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >