[keycloak-user] Required roles for clearing login failure counts

Stian Thorgersen sthorger at redhat.com
Fri Nov 27 03:58:35 EST 2015


I agree it should be manage-users. JIRA please

One caveat at the moment manage-users allows a user to assign admin role to
himself as there's no restrictions on what roles can be assigned to users.
This is something we're looking at improving hopefully for 1.8.

On 27 November 2015 at 09:53, Gregor Tudan <Gregor.Tudan at cofinpro.de> wrote:

> Hi everyone,
>
> while I totally agree that any configuration of the bruteforce-detection
> should require the realm-management role, I’d like to raise the question if
> clearing failed attempts should be that restrictive.
>
> This affects the following service endpoints:
>
> DELETE
> /admin/realms/{realm}/attack-detection/brute-force/usernames/{username}
> DELETE /admin/realms/{realm}/attack-detection/brute-force/usernames
>
> We would like to enable callcenter agents to unlock specific users, but
> giving them realm-management permissions doesn't feel right. Would’t
> user-management be more appropriate permissions for these endpoints, or are
> there side effects to consider?
>
> Thanks,
> Gregor
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151127/0a19240a/attachment.html 


More information about the keycloak-user mailing list