[keycloak-user] Keycloak impersonate

[GRMAN, Tomas]

Hi Marek,

Thanks for info.


Tomas

From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: 2. decembra 2016 11:03
To: GRMAN, Tomas <Tomas.GRMAN at orange.com>; keycloak-user at lists.jboss.org
Cc: STEFKA, Peter (ext.) <Peter.STEFKA at orange.com>
Subject: Re: Keycloak impersonate

Hi Tomas,

you're right. It is currently managed just by the impersonation role. So you can just remove this role entirely. Also you need to make sure that local admin (who is not supposed to be able to impersonate) doesn't have permission to re-create the role back and assign himself to this role.

We don't have anything other like "Disable impersonation" switch.

Btv. if your local-admin has access to the database, then he has access to everything anyway. He can just update the "disable-impersonation" switch and re-enable it back (in case that we will have such switch). He can also read the privateKey of particular realm and manually create accessToken from it and impersonate as the user with the token.

Marek


On 01/12/16 15:12, GRMAN, Tomas wrote:
Hi Marek, is it possible to disable (or completely remove) Keycloak impersonate function?
I understand, that it is a nice feature for troubleshooting, but in our case (for one security sensitive app) it represents a big issue, cause admin can access sensitive data as impersonated user.
I found that it is possible to manage that using dedicated role (impersonation), but in our case it is not sufficient. (it could be added directly in database I guess).
Thanks for any advice.

Tomas