[keycloak-dev] Fine-grained permissions along hierarchy paths
Thomas Darimont
thomas.darimont at googlemail.com
Tue Aug 14 14:58:20 EDT 2018
Hello,
I have a realm with nested groups that denotes a hierarchical corporate
structure.
/corp
-/org
--/branch1
---/divsion1
----/team1
----/team2
---/divsion2
----/team3
----/team4
--/branch2
-/infra
...
Users belong to one particular group along the /corp/org subtree, but might
also be members of one or more groups from a different subtree, e.g.,
/corp/infra.
Is it possible to have dedicated admin users at /corp, /branchX, /divisionX
level who can only view and manage the users from their group or subtree
with an admin-console scoped to a fixed realm?
admin-console scoped to group-hierarchy-demo realm:
http://localhost:8080/auth/admin/group-hierarchy-demo/console/#/realms/group-hierarchy-demo/users
If a user logs in as divsion1-admin-user, he should only be able to see and
manage the users beneath the path (/corp/org/branch1/division1/*).
Does the fine-grained permission system already support use cases like this?
Cheers,
Thomas
More information about the keycloak-dev
mailing list