[keycloak-user] Global "reporting" role like admin but with read-only access to everything?

Dmitry Telegin dt at acutus.pro
Mon Jul 16 19:32:43 EDT 2018 

Hi Peter, sorry for not having replied to your first posting,

AFAIK currently you cannot configure a role in a way that it is automatically granted access to every realm, including newly created ones.

You may ask: "but look, that's exactly how the global admin role works!" - that's true, but the global admin role has some special handling that is invoked every time a realm is created (see org.keycloak.services.managers.RealmManager::createRealm)

Good news is that you can have the same behavior for your role, at a reasonably low price of creating and deploying a simple Keycloak extension.

Look how it's done in BeerCloak:
https://github.com/dteleguin/beercloak/blob/master/beercloak-module/src/main/java/beercloak/providers/BeerResourceProviderFactory.java

In a few words: BeerCloak registers a listener for the RealmPostCreateEvent, and when it arrives, adds two client roles to the global "admin" role.
In your case, you'll be adding all "view-*" and "query-*" roles (belonging to the "<new_realm>-realm" client) to your "reporting" role.

Good luck and feel free to ask any questions on BeerCloak,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-07-16 at 14:42 -0400, pkboucher801 at gmail.com wrote:
> According to
> https://www.keycloak.org/docs/latest/server_admin/index.html#global-roles
> there are two global roles, admin and create-realm, but we would like to add
> a third one, call it reporting, that has read-only access to all settings in
> every realm (so all of the view- and query- permissions).
> 
>  
> 
> We can create the role as a composite with permissions over every realm, but
> if a new realm is added later, the reporting role has no access unless we
> explicitly grant it.
> 
>  
> 
> Is it possible for us to add a global role by creating a new realm role in
> the master realm, and giving it a particular configuration and/or set of
> permissions?
> 
>  
> 
> Thanks!
> 
>  
> 
> Regards,
> 
> Peter K. Boucher
> 
>  
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list