[keycloak-user] Fine-grained permissions to map a client role to a group

Leistert Christoph (INST/ECS2) Christoph.Leistert at bosch-si.com
Mon Jun 25 09:54:03 EDT 2018


Hi,

Thanks for your reply.
Sorry I did not found the fine-grained permissions for groups at the first time.
Now I think the problem is related to the fact that there is no specific permission for mapping role to a group, as you mentioned.

I tried to setup a proper configuration for the described scenario again and run into the following two problems:
- Group search by name returns 403 Forbidden, if the user has not the role "view-groups" but the "view" scope permission of a group, which will match the search query.
- Mapping a role to a group fails if the user has:
            - “view” and "manage" permissions of the group and
            - "map-role" permission of the role

Any further hints how to solve these problems?

Mit freundlichen Grüßen / Best regards

Christoph Leistert

(INST/ECS2)
Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch-si.com<http://www.bosch-si.com>

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn



Von: Pedro Igor Silva <psilva at redhat.com>
Gesendet: Freitag, 22. Juni 2018 20:05
An: Leistert Christoph (INST/ECS2) <Christoph.Leistert at bosch-si.com>
Cc: keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] Fine-grained permissions to map a client role to a group

Hi,

We do support fine-grained permissions for Groups. But I think your problem is related to the fact that there is no specific permission for mapping role to a group. Is that correct?

Regarding the "manage-users" role, this is the role that grants access to groups. As well "view-users".

Regards.
Pedro Igor

On Thu, Jun 14, 2018 at 7:41 AM, Leistert Christoph (INST/ECS2) <Christoph.Leistert at bosch-si.com<mailto:Christoph.Leistert at bosch-si.com>> wrote:
Hello,
We use Keycloak 3.4.3 and we trying to find out a way to let users create clients with a client role and map this client role to a group they are already a member of.
For the client creation and client role creation we assigned the realm role "manage-clients" to the users and this is okay for our setup. Additionally the users are assigned to the "query-groups" realm role, so that they could see the groups.
We struggle a bit with the right role/permissions setup to map the client role to a group.
First, we tried to use realm roles only. However, for mapping a role to a group the "manage-users" role is needed, which allows the user also to e.g. see all users. This should not be possible for these users.
Now we try to use fine-grained permissions to realize our scenario. But for the group entity there are no fine-grained permissions and the "map-role" permission of the "Users" resource does not allow to map a role to a group (403 Forbidden).
Is there any other way than using the "manage-users" realm role to map a client role to a group?
Is it planned to add fine-grained permissions for a "Groups" resource?

Mit freundlichen Grüßen / Best regards

Christoph Leistert

(INST/ECS2)
Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch-si.com<http://www.bosch-si.com><http://www.bosch-si.com>

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list