[keycloak-user] Keycloak impersonate

Marek Posolda mposolda at redhat.com
Fri Dec 2 05:03:13 EST 2016


Hi Tomas,

you're right. It is currently managed just by the impersonation role. So 
you can just remove this role entirely. Also you need to make sure that 
local admin (who is not supposed to be able to impersonate) doesn't have 
permission to re-create the role back and assign himself to this role.

We don't have anything other like "Disable impersonation" switch.

Btv. if your local-admin has access to the database, then he has access 
to everything anyway. He can just update the "disable-impersonation" 
switch and re-enable it back (in case that we will have such switch). He 
can also read the privateKey of particular realm and manually create 
accessToken from it and impersonate as the user with the token.

Marek


On 01/12/16 15:12, GRMAN, Tomas wrote:
>
> Hi Marek, is it possible to disable (or completely remove) Keycloak 
> impersonate function?
>
> I understand, that it is a nice feature for troubleshooting, but in 
> our case (for one security sensitive app) it represents a big issue, 
> cause admin can access sensitive data as impersonated user.
>
> I found that it is possible to manage that using dedicated role 
> (impersonation), but in our case it is not sufficient. (it could be 
> added directly in database I guess).
>
> Thanks for any advice.
>
> Tomas
>



More information about the keycloak-user mailing list