[keycloak-user] Set up fine grained permissions
Pedro Igor Silva
psilva at redhat.com
Fri Apr 6 07:59:04 EDT 2018
Hi Daniel,
Did you try to configure the "view" permission for your client ? Try to
define the same policy to the "view" permission just like you did to the
"manage" permission.
It may looks strange as you already have the "manage" permission granting
you access, but it is how it works. Let me know if it works and we'll
create a JIRA to discuss the problem in more details.
On Fri, Apr 6, 2018 at 3:33 AM, Hammarberg, Daniel <
daniel.hammarberg at capgemini.com> wrote:
> Hi all,
>
> Does anyone have any input on this? We are really stuck on this one...
>
> Regards
> /Daniel
>
>
> -----Original Message-----
> From: Hammarberg, Daniel <daniel.hammarberg at capgemini.com>
> Sent: den 3 april 2018 09:58
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Set up fine grained permissions
>
> Hi all,
>
> I am trying to set up fine grained permissions, following the instructions
> at http://www.keycloak.org/docs/latest/server_admin/index.
> html#_fine_grain_permissions
>
> I don’t manage to set permissions for a user to view one client. Could
> anyone help me to find what’s missing?
>
> My settings:
>
> In the Users menu:
>
> User cm_g123456 is a member of the group “Content Managers”.
> The group Content Managers is mapped to the realm role “Content Manager”
> and the client roles realm-management -> query-clients and view-users If I
> open the user cm_g123456 and check the Effective Roles under Role Mappings,
> I can see that Content Manager is active.
> The user cm_g123456 also has the client role realm-management ->
> query-clients
>
> In the Clients menu:
>
> I open my client, “foo.com”.
>
> Permissions are enabled. I have the following permission:
>
> Name: manage.permission.client.manageSkfCom
> Scopes: manage
> Apply Policy: content-managers
> Decision Strategy: Unanimous
>
> I have the following policy:
>
> Name: content-managers
> Realm Roles:
> Name: Content Manager
> Required: checked
> Logic: Positive
>
> When I log in to the admin console as the user cm_g123456, I cannot see
> any clients. Also, when opening a user I cannot see any client roles in the
> Available Roles list under Role Mappings.
>
> Best regards
> /Daniel
>
> _______________________________________________________________________
> [Email_CBE.gif]Daniel Hammarberg
> Managing Delivery Architect | Application Services
>
> Capgemini Sweden | Göteborg
>
>
> ________________________________
>
> Capgemini is a trading name used by the Capgemini Group of companies which
> includes Capgemini Sverige AB, a company registered in Sweden (number
> 556092-3053) whose registered office is at Gustavslundsvägen 131 Box 825 –
> S-161 24 Bromma.
> This message contains information that may be privileged or confidential
> and is the property of the Capgemini Group. It is intended only for the
> person to whom it is addressed. If you are not the intended recipient, you
> are not authorized to read, print, retain, copy, disseminate, distribute,
> or use this message or any part thereof. If you receive this message in
> error, please notify the sender immediately and delete all copies of this
> message.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list