Hi Jeremy, I noticed the same behaviour and it still happens in version 3.1.0.CR1. Effective Roles are not taken into account by the Policy Evaluation Tool, only roles assigned directly to a user. Best regards Bettina -----Ursprüngliche Nachricht----- Von: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@ lists.jboss.org] Im Auftrag von Jeremy Majors Gesendet: Montag, 27. Februar 2017 22:57 An: keycloak-user(a)lists.jboss.org Betreff: [keycloak-user] Group Level Roles Not Honored by Policy Evaluation Tool I have setup my users to have the 'read' role by associating that role to a group which my users have been associated with. While testing the policies for a resource using the Policy Evaluation tool I determined that the roles associated with the groups weren't being picked up and the user was being denied access to the resource (please note that when I looked at the user's roles I did notice that 'read' was listed as an effective role). When I removed one of the users from the group and directly assigned the 'role' to the user then I was able to successfully access the resource using the Policy Evaluation tool. Can anyone else reproduce this issue? It's unclear whether it could be related to KEYCLOAK-2964, which has been closed. Thanks in advance, Jeremy Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of my firm shall be understood as neither given nor endorsed by it. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

The policy evaluation tool should be validating roles based on group membership. I thought i fixed that, but I guess not. On 5/9/17 7:38 AM, Pedro Igor Silva wrote: > You are right. We are not considering roles associated with groups. We also > lack a group based policy .... > > For the former, I've created https://issues.jboss.org/ browse/KEYCLOAK-4874. > For the latter we have https://issues.jboss.org/browse/KEYCLOAK-3168. > > Will start working on those two issues before next release. > > On Tue, May 9, 2017 at 5:13 AM, Hübner, Bettina < Bettina.Huebner(a)kvbawue.de&gt; > wrote: > >> Hi Jeremy, >> >> I noticed the same behaviour and it still happens in version 3.1.0.CR1. >> Effective Roles are not taken into account by the Policy Evaluation Tool, >> only roles assigned directly to a user. >> >> Best regards >> Bettina >> >> >> >> -----Ursprüngliche Nachricht----- >> Von: keycloak-user-bounces(a)lists.jboss.org [mailto: keycloak-user-bounces@ >> lists.jboss.org] Im Auftrag von Jeremy Majors >> Gesendet: Montag, 27. Februar 2017 22:57 >> An: keycloak-user(a)lists.jboss.org >> Betreff: [keycloak-user] Group Level Roles Not Honored by Policy >> Evaluation Tool >> >> I have setup my users to have the 'read' role by associating that role to >> a group which my users have been associated with. While testing the >> policies for a resource using the Policy Evaluation tool I determined that >> the roles associated with the groups weren't being picked up and the user >> was being denied access to the resource (please note that when I looked at >> the user's roles I did notice that 'read' was listed as an effective >> role). When I removed one of the users from the group and directly >> assigned the 'role' to the user then I was able to successfully access the >> resource using the Policy Evaluation tool. >> >> >> Can anyone else reproduce this issue? It's unclear whether it could be >> related to KEYCLOAK-2964, which has been closed. >> >> >> Thanks in advance, >> >> Jeremy >> >> Privileged/Confidential Information may be contained in this message. If >> you are not the addressee indicated in this message (or responsible for >> delivery of the message to such person), you may not copy or deliver this >> message to anyone. In such case, you should destroy this message and kindly >> notify the sender by reply email. Please advise immediately if you or your >> employer does not consent to Internet email for messages of this kind. >> Opinions, conclusions and other information in this message that do not >> relate to the official business of my firm shall be understood as neither >> given nor endorsed by it. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user