I would be interested to know this too. In order to overcome some the performance issue we found when having to iterate over the users we used the Keycloak provider extension points to add our own custom Rest end points with our own database query to perform the lookup in one statement for all users matching the search criteria, I would sooner not do this as it just added additional overheads when we upgrade. Regards Tony Harris -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Benjamin Huskic Sent: 11 March 2019 15:32 To: keycloak-user(a)lists.jboss.org Subject: [keycloak-user] Best practice for getting roles for all users Hello everybody, I need to query a list of all users with their roles in our application. I would like to avoid calling for every user (~10000) the GET /auth/admin/realms/{realm}/users/{user-uuid}/role-mappings/realm. The GET /auth/admin/realms/{realm}/users unfortunately does not provide the roles. I have read the API documentation and tried to find out any recommendation on the web, but I didn't find any. The only thing I found was a feature request which might help to lower the calls: https://issues.jboss.org/browse/KEYCLOAK-2035 but it seems that this feature was not implemented. I would like to know if there is a best practice for getting roles for all the users because calling a million times the role-mapping is very inefficient. Thank you in advance Kind regards, Benjamin [cid:image001.png@01D4D841.19FC8380] Benjamin Huskić Founder & Solution Director mobile: +971-5444-9-4664 email: benjamin.huskic@thequalitygate.com<mailto:benjamin.huskic@thequalitygate.com> web: http://www.thequalitygate.com<http://www.thequalitygate.com/> ________________________________ Please consider the environment: Think before you print! This message has been scanned for malware by Websense. www.websense.com

Hi Niko, Thanks for the update. We were thinking of something similar, and good to know that there is in fact no efficient option. Cheers, Ben -----Original Message----- From: Niko Köbler <niko(a)n-k.de&gt; Sent: Saturday, 16 March 2019 19:31 To: Benjamin Huskic <benjamin.huskic(a)thequalitygate.com&gt; Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Best practice for getting roles for all users Hi Ben, I don't know any built-in possibility to achieve this with Keycloak. Depending on the amount of roles, you could do "reverse" lookup and query all roles for their users. Then you have to re-sort the results to get all roles for each user. Second option could be to write a custom REST endpoint with a custom database query for exactly these informations. Would be more efficient than multiple queries over the API, but is prone to database changes (although they might be unlikely, imo). So you would have to track changes. Cheers, - Niko