[keycloak-dev] Realm admin permissions added

Bill Burke bburke at redhat.com
Wed Feb 26 14:11:54 EST 2014

Very nice.

On 2/26/2014 12:41 PM, Stian Thorgersen wrote:
> Added view roles as well. Admin console has been updated to make forms read-only if user only has view role (there's a few widgets it doesn't work for, but should be fixed soon).
> The new roles are:
> * view-realm
> * view-users
> * view-applications
> * view-clients
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Tuesday, 25 February, 2014 12:59:39 PM
>> Subject: [keycloak-dev] Realm admin permissions added
>> Realm admin permissions added has been added to master.
>> A quick overview on how it works:
>> When a realm is created an application is created in the keycloak-admin
>> realm. The application name is '<realm name>-realm'. This application
>> represents the roles associated with the realm, and let's you add role
>> mappings to users as well as scope mappings to apps/clients. A realm app has
>> the following roles:
>> * manage-realm
>> * manage-users
>> * manage-applications
>> * manage-clients
>> These roles are all read/write. In the future I imagine we can add some view
>> only roles (view-realm, view-users, view-applications, view-clients). I
>> didn't add it this time around as it would require a fair amount of changes
>> to admin console (everything is forms with buttons at the moment, so would
>> have to add read only views).
>> When listing realms the admin console will only return the realms where the
>> user has one or more of the above roles. The admin console will also change
>> the menu depending on what roles the user has (for example a user that only
>> has 'manage-clients' and 'manage-users' will not see 'settings' and
>> 'applications').
>> There's a realm role called 'admin' as well. This is a composite role and
>> when creating a new realm all roles for the new realm are added to it. Only
>> users with this role is allowed to create, import or delete realms.
>> To create a new realm, with a user that has only 'manage-users' and
>> 'manage-clients' access to this new realm, do the following:
>> 1. Create a new realm called 'test'
>> 2. Navigate to users for 'keycloak-admin' realm
>> (http://localhost:8081/auth/admin/index.html#/realms/keycloak-admin/users)
>> 3. Create new user called 'test' (enable + reset creds)
>> 4. Click on 'Role mappings'
>> 5. In 'Applications' drop-down select 'test-realm'
>> 6. Select 'manage-users' and 'manage-clients' and click the right-arrow to
>> add mapping
>> 7. Log out of admin console, and login as 'test'
>> The pages in the admin console themselves haven't been disabled, only the
>> menu to navigate there. You can try opening for example:
>> http://localhost:8081/auth/admin/index.html#/realms/test/social-settings
>> http://localhost:8081/auth/admin/index.html#/realms/test/applications
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-dev mailing list