[keycloak-user] View-users permissions only view some users

Nicolas Gillet nicolas.gillet at market-ip.com
Thu Jul 12 11:40:50 EDT 2018


Ok,

After a few hours of try & fail, I managed to created my groups dynamically through the SPI.
The trick was to use the RealmModel that is passed to the providers methods to create groups.
As it's not documented anywhere, I hope this has no caveat. So far the created groups seem to be correct and persisted.

Now I am stuck figuring out how to create a policy that will allow user of a group to manage only users of a subgroup of his own group. :-/

If anyone has a hint ?

Kind regards,

-----Message d'origine-----
De : keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> De la part de Nicolas Gillet
Envoyé : mercredi 11 juillet 2018 17:32
À : keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] View-users permissions only view some users

Thank you Dmitri,

This definitely helps.
Now my users are coming from an SPI I wrote, guided by the user-storage-jpa-example in KC's repository.
I have data in my users I want to use in order to create the group and manage visibility & impersonation.
However I can't find how to add users in groups and created these groups through the SPI.

I do well see the methods "UserQueryProvider.getGroupMembers" but I have no clue on how to create groups and what the implementation of this methods should do :-/

Is there any example I can get inspiration of where groups are driven by an external source ?

Kind regards,

-----Message d'origine-----
De : Dmitry Telegin <dt at acutus.pro>
Envoyé : mardi 10 juillet 2018 12:42
À : Nicolas Gillet <nicolas.gillet at market-ip.com>; keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] View-users permissions only view some users

Hi Nicolas,

You could try the following:
- put your users into a group;
- create another user;
- grant this user "query-groups" and "impersonation" roles (from the "realm-management" or "master-realm" client, depending on the realm);
- go to your group, enable permissions, open "view" permission, add a user policy to allow the user to view group, then repeat for "view- members" permission.

Now your newly added admin user will be restricted to the contents of the group. He won't be able to view/impersonate other users, even if he knows the user's internal ID.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-07-06 at 09:10 +0000, Nicolas Gillet wrote:
> Hello,
> 
> Is it possible to grant a user the permission to view only some (not
> all) users of the realm ?
> Same question about being allowed to impersonate only the user he is 
> allowed to see ?
> 
> Thank for any help :-)
> 
> Nicolas GILLET
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list