Give the user query-users role and enable permissions on the groups (the
one the user should be able to manage and the group he should not be
able to manage). Now you can set policies to manage members of that
group and denie it for the members of the other group.
Nils
Am 12.07.2018 um 17:40 schrieb Nicolas Gillet:
Ok,
After a few hours of try & fail, I managed to created my groups dynamically through
the SPI.
The trick was to use the RealmModel that is passed to the providers methods to create
groups.
As it's not documented anywhere, I hope this has no caveat. So far the created groups
seem to be correct and persisted.
Now I am stuck figuring out how to create a policy that will allow user of a group to
manage only users of a subgroup of his own group. :-/
If anyone has a hint ?
Kind regards,
-----Message d'origine-----
De : keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
De la part de Nicolas Gillet
Envoyé : mercredi 11 juillet 2018 17:32
À : keycloak-user(a)lists.jboss.org
Objet : Re: [keycloak-user] View-users permissions only view some users
Thank you Dmitri,
This definitely helps.
Now my users are coming from an SPI I wrote, guided by the user-storage-jpa-example in
KC's repository.
I have data in my users I want to use in order to create the group and manage visibility
& impersonation.
However I can't find how to add users in groups and created these groups through the
SPI.
I do well see the methods "UserQueryProvider.getGroupMembers" but I have no
clue on how to create groups and what the implementation of this methods should do :-/
Is there any example I can get inspiration of where groups are driven by an external
source ?
Kind regards,
-----Message d'origine-----
De : Dmitry Telegin <dt(a)acutus.pro>
Envoyé : mardi 10 juillet 2018 12:42
À : Nicolas Gillet <nicolas.gillet(a)market-ip.com>; keycloak-user(a)lists.jboss.org
Objet : Re: [keycloak-user] View-users permissions only view some users
Hi Nicolas,
You could try the following:
- put your users into a group;
- create another user;
- grant this user "query-groups" and "impersonation" roles (from the
"realm-management" or "master-realm" client, depending on the realm);
- go to your group, enable permissions, open "view" permission, add a user
policy to allow the user to view group, then repeat for "view- members"
permission.
Now your newly added admin user will be restricted to the contents of the group. He
won't be able to view/impersonate other users, even if he knows the user's
internal ID.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Fri, 2018-07-06 at 09:10 +0000, Nicolas Gillet wrote:
> Hello,
>
> Is it possible to grant a user the permission to view only some (not
> all) users of the realm ?
> Same question about being allowed to impersonate only the user he is
> allowed to see ?
>
> Thank for any help :-)
>
> Nicolas GILLET
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user