[keycloak-user] View-users permissions only view some users

Nils Wild nils.wild at sinnovate.de
Thu Jul 12 12:10:55 EDT 2018


Give the user query-users role and enable permissions on the groups (the 
one the user should be able to manage and the group he should not be 
able to manage). Now you can set policies to manage members of that 
group and denie it for the members of the other group.

Nils


Am 12.07.2018 um 17:40 schrieb Nicolas Gillet:
> Ok,
>
> After a few hours of try & fail, I managed to created my groups dynamically through the SPI.
> The trick was to use the RealmModel that is passed to the providers methods to create groups.
> As it's not documented anywhere, I hope this has no caveat. So far the created groups seem to be correct and persisted.
>
> Now I am stuck figuring out how to create a policy that will allow user of a group to manage only users of a subgroup of his own group. :-/
>
> If anyone has a hint ?
>
> Kind regards,
>
> -----Message d'origine-----
> De : keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> De la part de Nicolas Gillet
> Envoyé : mercredi 11 juillet 2018 17:32
> À : keycloak-user at lists.jboss.org
> Objet : Re: [keycloak-user] View-users permissions only view some users
>
> Thank you Dmitri,
>
> This definitely helps.
> Now my users are coming from an SPI I wrote, guided by the user-storage-jpa-example in KC's repository.
> I have data in my users I want to use in order to create the group and manage visibility & impersonation.
> However I can't find how to add users in groups and created these groups through the SPI.
>
> I do well see the methods "UserQueryProvider.getGroupMembers" but I have no clue on how to create groups and what the implementation of this methods should do :-/
>
> Is there any example I can get inspiration of where groups are driven by an external source ?
>
> Kind regards,
>
> -----Message d'origine-----
> De : Dmitry Telegin <dt at acutus.pro>
> Envoyé : mardi 10 juillet 2018 12:42
> À : Nicolas Gillet <nicolas.gillet at market-ip.com>; keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] View-users permissions only view some users
>
> Hi Nicolas,
>
> You could try the following:
> - put your users into a group;
> - create another user;
> - grant this user "query-groups" and "impersonation" roles (from the "realm-management" or "master-realm" client, depending on the realm);
> - go to your group, enable permissions, open "view" permission, add a user policy to allow the user to view group, then repeat for "view- members" permission.
>
> Now your newly added admin user will be restricted to the contents of the group. He won't be able to view/impersonate other users, even if he knows the user's internal ID.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Fri, 2018-07-06 at 09:10 +0000, Nicolas Gillet wrote:
>> Hello,
>>
>> Is it possible to grant a user the permission to view only some (not
>> all) users of the realm ?
>> Same question about being allowed to impersonate only the user he is
>> allowed to see ?
>>
>> Thank for any help :-)
>>
>> Nicolas GILLET
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list