create admin user to control other users, but at the same time making him/her unable to change his/her own permissions
4:10 a.m.
Hi there,
Is there any way we can configure a user that will have the rights to
view/edit/delete/assign other users' roles, but will NOT be able to change the setting
for him/herself.
Reason asking is I want a user as admin to deal with the rest of the users, but at the
same time i don't want that user to be able to grant permissions to him/herself to
access some other clients. The default 'admin' role gives him/her this option.
Waiting for your response
BRs
Lefteris
4:14 a.m.
Hi, it is possible - try the following or some variation to suit your use
case. my example allowed a user in a suitable admin role to allocate
client roles to a user, but the user was otherwise read only.
1 - Create a role to act as admin
2 - Create a policy for your role
3 - Give permission to map client roles. this is done by selecting your
client then switching on permissions. then against map-roles apply your
role policy.
4 - Give permission to view users. this is done by selecting the admin
role, then role mappings. select client roles -> realm-management -> view
users.
5 - Give permission to map roles to users. enable permissions on the users
sections. then apply your admin role policy.
Hope this works for you
Simon.
On Tue, Nov 7, 2017 at 10:10 AM, pavlos kaimakis <pkaim(a)hotmail.com> wrote:
Hi there,
Is there any way we can configure a user that will have the rights to
view/edit/delete/assign other users' roles, but will NOT be able to change
the setting for him/herself.
Reason asking is I want a user as admin to deal with the rest of the
users, but at the same time i don't want that user to be able to grant
permissions to him/herself to access some other clients. The default
'admin' role gives him/her this option.
Waiting for your response
BRs
Lefteris
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2620
days inactive
2621
days old
1 comments
2 participants
participants (2)
-
pavlos kaimakis -
Simon Payne