[keycloak-user] Doubts regarding fine grained permission on groups

[Rafael Weingärtner]

Hello volks,
Any takers here? it would be very helpful to have feedback regarding the
intended design before checking the code to confirm these features.

On Wed, Apr 3, 2019 at 9:49 AM Rafael Weingärtner <
rafaelweingartner at gmail.com> wrote:

> Hello Keycloak community,
> We seem to have stumbled across a feature that we do not fully understand
> (after reading and re-reading, and testing). Could somebody help to clarify
> the design of this feature?
>
> When enabling fine grained group permissions, we see the option to assign
> the scope "manage" to users in specific groups. According to our
> understand, this scope would allow us to create the "role" of users
> ("group-admins") to manage (update user information, reset credentials,
> enable/disable) other users in the same group; users with this "role" would
> also not be able to see the other users in the realm that are not assigned
> to the group where they have this special permissions. Therefore, the
> actions of creating and removing users would still be restricted to the
> manage-users permission that can be set to "user-managers" in the whole
> realm.
>
> During our tests, we noticed the the users that receive the "manage" scope
> permission in a group are able to delete users of the group. Is this the
> expected behavior? After noticing this, we also thought that they would
> then be able to create users in the group (if they can remove, why not
> enabling them to create as well?); however, these users are not able to
> create other users in the group that they have permission to manage (even
> when assigning explicitly the group to the user being created). Is this a
> bug? Or something that is not completely documented?
>
> --
> Rafael Weingärtner
>


-- 
Rafael Weingärtner