[keycloak-user] Group Level Roles Not Honored by Policy Evaluation Tool

Bill Burke bburke at redhat.com
Tue May 9 10:36:25 EDT 2017


The policy evaluation tool should be validating roles based on group 
membership.  I thought i fixed that, but I guess not.


On 5/9/17 7:38 AM, Pedro Igor Silva wrote:
> You are right. We are not considering roles associated with groups. We also
> lack a group based policy ....
>
> For the former, I've created https://issues.jboss.org/browse/KEYCLOAK-4874.
> For the latter we have https://issues.jboss.org/browse/KEYCLOAK-3168.
>
> Will start working on those two issues before next release.
>
> On Tue, May 9, 2017 at 5:13 AM, Hübner, Bettina <Bettina.Huebner at kvbawue.de>
> wrote:
>
>> Hi Jeremy,
>>
>> I noticed the same behaviour and it still happens in version 3.1.0.CR1.
>> Effective Roles are not taken into account by the Policy Evaluation Tool,
>> only roles assigned directly to a user.
>>
>> Best regards
>> Bettina
>>
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
>> lists.jboss.org] Im Auftrag von Jeremy Majors
>> Gesendet: Montag, 27. Februar 2017 22:57
>> An: keycloak-user at lists.jboss.org
>> Betreff: [keycloak-user] Group Level Roles Not Honored by Policy
>> Evaluation Tool
>>
>> I have setup my users to have the 'read' role by associating that role to
>> a group which my users have been associated with.  While testing the
>> policies for a resource using the Policy Evaluation tool I determined that
>> the roles associated with the groups weren't being picked up and the user
>> was being denied access to the resource (please note that when I looked at
>> the user's roles I did notice that 'read' was listed as an effective
>> role).  When I removed one of the users from the group and directly
>> assigned the 'role' to the user then I was able to successfully access the
>> resource using the Policy Evaluation tool.
>>
>>
>> Can anyone else reproduce this issue?  It's unclear whether it could be
>> related to KEYCLOAK-2964, which has been closed.
>>
>>
>> Thanks in advance,
>>
>> Jeremy
>>
>> Privileged/Confidential Information may be contained in this message. If
>> you are not the addressee indicated in this message (or responsible for
>> delivery of the message to such person), you may not copy or deliver this
>> message to anyone. In such case, you should destroy this message and kindly
>> notify the sender by reply email. Please advise immediately if you or your
>> employer does not consent to Internet email for messages of this kind.
>> Opinions, conclusions and other information in this message that do not
>> relate to the official business of my firm shall be understood as neither
>> given nor endorsed by it.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list