[keycloak-user] Group Role Mapping

Τζέκος Νικόλαος nitzekos at yahoo.gr
Fri Dec 7 09:17:01 EST 2018 

Hello all,
Congratulation for this great product. We are using it to provide authentication for a new web-app we are deploying. In the feature we may use it for authorization also. I have read many articles and posts on this list but I am still not sure if my problem is considered a problem/bug or I have done something wrong. I have this situation:LDAP GROUP group1, mapped to Keycloak group1user1, user2 and user3 members of group1, All this work ok as I used group-ldap-mapper.Now, let's say that in my realm I have 3 clients: client1, client2 and client3. All of these clients have some similar needs, so to support all of them I am using Realm roles and not client roles.
So, I created role1 for my realm. Afterwards I wanted to assigned role1 to all members of the group1, so I went to Groups->group1->Edit->Role Mappings and from the available Realm Roles I selected role1 and I assigned it. Now, what I would expect is two things:
1) If I go to Roles->role1->Users In Role, to see all the members of group1. This doesn't happen!
2) If I go to users->user1->Role Mappings I would expect to see the role1 as an Assigned Role but I see it as an Effective Role. Now this causes me the problem that if for any reason I want to remove the role1 form a single user i.e., user1 I cannot since it is only in the Effective Roles list.
However, if I go specifically and assign role1 to a user from Users->Role Mappings then both those cases mentioned above work ok.
Am I doing something wrong here? How this should work? Do you have any suggestion? I am pretty sure that this scenario makes sense for an administrator where he/she wants to assign some roles to existing groups coming from LDAP/Active Directory and also have the flexibility to remove roles from specific users of a Group. Otherwise administrator should go and assign the role to each user separately.I forgot to mention that we are using Keycloak 4.6.
I also have some questions about some calls of the Rest API but I think it's better not to write them here and send another mail. 

More information about the keycloak-user mailing list