1:13 p.m.
Hi,
i think i got somthing wrong how policies are supposed to work in
Keycloak 4.1.0.Final
I tried to configure a support group that has access to a certain group
of customers but not all so i created a new_user_group and a
support_group (this group has real-management roles to view and manage
users so i can see those admin-console menus) and added policies, such
that the support_group can only see and manage that group and users of
that new_user_group but not those of old_user_group. Unfortunatly after
logging in with a user of support_group i can see all users and groups
not only those of the new_user_group when clicking "view all users".
I already used the Authorization Evaluator of the realm-management
client. The funny thing is that if i choose the new user of the
support_group and the old_user_group resource with view scope it
correctly determines that access should be denied.
Am I missing something? Maybe the problem is that the new_support_group
does have realm-management roles like view-users? But if i remove those
roles i am not able to see any menu.
Nils
1:50 p.m.
Hi,
If you assign *query-users* role to "new_support_group", make the user a
member of "new_support_group", enable permissions to "new_user_group"
and
configure the "manage" permission, you should be able to restrict the users
that the user is allowed to see.
Regards.
Pedro Igor
On Mon, Jul 9, 2018 at 8:13 AM, Nils Wild <nils.wild(a)sinnovate.de> wrote:
Hi,
i think i got somthing wrong how policies are supposed to work in
Keycloak 4.1.0.Final
I tried to configure a support group that has access to a certain group
of customers but not all so i created a new_user_group and a
support_group (this group has real-management roles to view and manage
users so i can see those admin-console menus) and added policies, such
that the support_group can only see and manage that group and users of
that new_user_group but not those of old_user_group. Unfortunatly after
logging in with a user of support_group i can see all users and groups
not only those of the new_user_group when clicking "view all users".
I already used the Authorization Evaluator of the realm-management
client. The funny thing is that if i choose the new user of the
support_group and the old_user_group resource with view scope it
correctly determines that access should be denied.
Am I missing something? Maybe the problem is that the new_support_group
does have realm-management roles like view-users? But if i remove those
roles i am not able to see any menu.
Nils
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2112
days inactive
2112
days old
1 comments
2 participants
participants (2)
-
Nils Wild -
Pedro Igor Silva