[keycloak-dev] How to assign new client default roles to existing users?

Vlastimil Elias velias at redhat.com
Mon Jun 8 08:23:49 EDT 2015


Nice workaround, thanks for the tip.
I though about it also, but I'm not able to assign this new composite 
default role to all existing users still ;-)

So some of solutions for default roles as I proposed should be good.

Thanks

Vlastimil

On 8.6.2015 14:03, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Vlastimil Elias" <velias at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Monday, 8 June, 2015 1:54:11 PM
>> Subject: [keycloak-dev] How to assign new client default roles to existing	users?
>>
>> Hi,
>>
>> we just found one admin use case which is not covered by existing Keycloak
>> and its Admin GUI.
>>
>> When you create new Client later and define some default role/s for it, then
>> there is not any way how to assign these roles to existing users.
>> Problem is that default roles are assigned to users in DB when they are
>> created. Then admin GUI allows to assign roles for one user only, not too
>> useful when you have hundreds or thousands of users ;-)
>> Only workaround for now is to write script which uses REST API to assign new
>> default roles to all existing users.
>>
>> I see these possible solutions:
>>
>>
>>      * do not assign default roles in DB when user is created, but assign them
>>      dynamically when user roles are asked - possible cons of this solution
>>      is that it does not allow to remove default role from concrete/selected
>>      users
>>      * keep default roles assignment into DB on user create, but automatically
>>      assign new default role to all existing users once it is defined for
>>      client
>>      * keep default roles assignment into DB on user create, but add some
>>      manual bulk role assignment action into Admin GUI, which allows admin to
>>      assign role to existing users.
>>
>> WDYT, which solution should be better?
> Or, create a composite role called 'default' and have this as the only default role. Afterwards you can map new roles to this composite role and it'll be reflected for all users that have the 'default' role assigned to them.
>
>> Cheers
>>
>> Vlastimil
>>
>> --
>> Vlastimil Elias
>> Principal Software Engineer
>> jboss.org Development Team
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-- 
Vlastimil Elias
Principal Software Engineer
jboss.org Development Team



More information about the keycloak-dev mailing list