[keycloak-dev] Realm admin permissions added

Stian Thorgersen stian at redhat.com
Tue Feb 25 07:59:39 EST 2014

Realm admin permissions added has been added to master.

A quick overview on how it works:

When a realm is created an application is created in the keycloak-admin realm. The application name is '<realm name>-realm'. This application represents the roles associated with the realm, and let's you add role mappings to users as well as scope mappings to apps/clients. A realm app has the following roles:

* manage-realm
* manage-users
* manage-applications
* manage-clients

These roles are all read/write. In the future I imagine we can add some view only roles (view-realm, view-users, view-applications, view-clients). I didn't add it this time around as it would require a fair amount of changes to admin console (everything is forms with buttons at the moment, so would have to add read only views).

When listing realms the admin console will only return the realms where the user has one or more of the above roles. The admin console will also change the menu depending on what roles the user has (for example a user that only has 'manage-clients' and 'manage-users' will not see 'settings' and 'applications').

There's a realm role called 'admin' as well. This is a composite role and when creating a new realm all roles for the new realm are added to it. Only users with this role is allowed to create, import or delete realms.

To create a new realm, with a user that has only 'manage-users' and 'manage-clients' access to this new realm, do the following:

1. Create a new realm called 'test'
2. Navigate to users for 'keycloak-admin' realm (http://localhost:8081/auth/admin/index.html#/realms/keycloak-admin/users)
3. Create new user called 'test' (enable + reset creds)
4. Click on 'Role mappings' 
5. In 'Applications' drop-down select 'test-realm'
6. Select 'manage-users' and 'manage-clients' and click the right-arrow to add mapping
7. Log out of admin console, and login as 'test'

The pages in the admin console themselves haven't been disabled, only the menu to navigate there. You can try opening for example:


More information about the keycloak-dev mailing list