[keycloak-user] View-users permissions only view some users

Nicolas Gillet nicolas.gillet at market-ip.com
Wed Jul 11 11:31:36 EDT 2018 

Thank you Dmitri,

This definitely helps.
Now my users are coming from an SPI I wrote, guided by the user-storage-jpa-example in KC's repository.
I have data in my users I want to use in order to create the group and manage visibility & impersonation.
However I can't find how to add users in groups and created these groups through the SPI.

I do well see the methods "UserQueryProvider.getGroupMembers" but I have no clue on how to create groups and what the implementation of this methods should do :-/

Is there any example I can get inspiration of where groups are driven by an external source ?

Kind regards,

-----Message d'origine-----
De : Dmitry Telegin <dt at acutus.pro> 
Envoyé : mardi 10 juillet 2018 12:42
À : Nicolas Gillet <nicolas.gillet at market-ip.com>; keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] View-users permissions only view some users

Hi Nicolas,

You could try the following:
- put your users into a group;
- create another user;
- grant this user "query-groups" and "impersonation" roles (from the "realm-management" or "master-realm" client, depending on the realm);
- go to your group, enable permissions, open "view" permission, add a user policy to allow the user to view group, then repeat for "view- members" permission.

Now your newly added admin user will be restricted to the contents of the group. He won't be able to view/impersonate other users, even if he knows the user's internal ID.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-07-06 at 09:10 +0000, Nicolas Gillet wrote:
> Hello,
> 
> Is it possible to grant a user the permission to view only some (not
> all) users of the realm ?
> Same question about being allowed to impersonate only the user he is 
> allowed to see ?
> 
> Thank for any help :-)
> 
> Nicolas GILLET
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list