[keycloak-user] Group Level Roles Not Honored by Policy Evaluation Tool
Pedro Igor Silva
psilva at redhat.com
Tue May 9 07:38:33 EDT 2017
You are right. We are not considering roles associated with groups. We also
lack a group based policy ....
For the former, I've created https://issues.jboss.org/browse/KEYCLOAK-4874.
For the latter we have https://issues.jboss.org/browse/KEYCLOAK-3168.
Will start working on those two issues before next release.
On Tue, May 9, 2017 at 5:13 AM, Hübner, Bettina <Bettina.Huebner at kvbawue.de>
wrote:
> Hi Jeremy,
>
> I noticed the same behaviour and it still happens in version 3.1.0.CR1.
> Effective Roles are not taken into account by the Policy Evaluation Tool,
> only roles assigned directly to a user.
>
> Best regards
> Bettina
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
> lists.jboss.org] Im Auftrag von Jeremy Majors
> Gesendet: Montag, 27. Februar 2017 22:57
> An: keycloak-user at lists.jboss.org
> Betreff: [keycloak-user] Group Level Roles Not Honored by Policy
> Evaluation Tool
>
> I have setup my users to have the 'read' role by associating that role to
> a group which my users have been associated with. While testing the
> policies for a resource using the Policy Evaluation tool I determined that
> the roles associated with the groups weren't being picked up and the user
> was being denied access to the resource (please note that when I looked at
> the user's roles I did notice that 'read' was listed as an effective
> role). When I removed one of the users from the group and directly
> assigned the 'role' to the user then I was able to successfully access the
> resource using the Policy Evaluation tool.
>
>
> Can anyone else reproduce this issue? It's unclear whether it could be
> related to KEYCLOAK-2964, which has been closed.
>
>
> Thanks in advance,
>
> Jeremy
>
> Privileged/Confidential Information may be contained in this message. If
> you are not the addressee indicated in this message (or responsible for
> delivery of the message to such person), you may not copy or deliver this
> message to anyone. In such case, you should destroy this message and kindly
> notify the sender by reply email. Please advise immediately if you or your
> employer does not consent to Internet email for messages of this kind.
> Opinions, conclusions and other information in this message that do not
> relate to the official business of my firm shall be understood as neither
> given nor endorsed by it.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list