[keycloak-dev] Admin Fine Grained Permissions

Pedro Igor Silva psilva at redhat.com
Tue Dec 26 12:41:21 EST 2017


Right now, when you enable fine-grained permissions to users you must grant
to a specific user the "manage-users" roles. Otherwise, you will not be
able to see the "Add User" button even though you have a permission
granting the "manage" scope. It is quite weird actually, because you can
delete users.

This is because in UI we are checking only for "manage-users" when deciding
if this button should be shown or not.

One thing we could do here is change admin console to query for current
user permissions using the Entitlement API and use the permissions returned
in the RPT to decide whether or not something in the UI should be displayed.

I did some tests here and this approach seems to work fine and I think it
will improve a lot how we are handling permissions in admin console.

Regards.
Pedro Igor


More information about the keycloak-dev mailing list