[keycloak-user] Keycloak impersonate
Marek Posolda
mposolda at redhat.com
Fri Dec 2 05:03:13 EST 2016
Hi Tomas,
you're right. It is currently managed just by the impersonation role. So
you can just remove this role entirely. Also you need to make sure that
local admin (who is not supposed to be able to impersonate) doesn't have
permission to re-create the role back and assign himself to this role.
We don't have anything other like "Disable impersonation" switch.
Btv. if your local-admin has access to the database, then he has access
to everything anyway. He can just update the "disable-impersonation"
switch and re-enable it back (in case that we will have such switch). He
can also read the privateKey of particular realm and manually create
accessToken from it and impersonate as the user with the token.
Marek
On 01/12/16 15:12, GRMAN, Tomas wrote:
>
> Hi Marek, is it possible to disable (or completely remove) Keycloak
> impersonate function?
>
> I understand, that it is a nice feature for troubleshooting, but in
> our case (for one security sensitive app) it represents a big issue,
> cause admin can access sensitive data as impersonated user.
>
> I found that it is possible to manage that using dedicated role
> (impersonation), but in our case it is not sufficient. (it could be
> added directly in database I guess).
>
> Thanks for any advice.
>
> Tomas
>
More information about the keycloak-user
mailing list