[keycloak-user] Doubts regarding fine grained permission on groups
Pedro Igor Silva
psilva at redhat.com
Fri Apr 5 08:45:20 EDT 2019
Hi Rafael,
Yeah, this is how it was implement. I understand your point and this is one
of the things that we need to review in regards to fine-grained permissions
in admin console.
We have a few open JIRAs that we are looking forward to work in the future.
Could you please file a new JIRA for this problem in particular ?
Regards.
Pedro Igor
On Fri, Apr 5, 2019 at 9:28 AM Rafael Weingärtner <
rafaelweingartner at gmail.com> wrote:
> Hello volks,
> Any takers here? it would be very helpful to have feedback regarding the
> intended design before checking the code to confirm these features.
>
> On Wed, Apr 3, 2019 at 9:49 AM Rafael Weingärtner <
> rafaelweingartner at gmail.com> wrote:
>
> > Hello Keycloak community,
> > We seem to have stumbled across a feature that we do not fully understand
> > (after reading and re-reading, and testing). Could somebody help to
> clarify
> > the design of this feature?
> >
> > When enabling fine grained group permissions, we see the option to assign
> > the scope "manage" to users in specific groups. According to our
> > understand, this scope would allow us to create the "role" of users
> > ("group-admins") to manage (update user information, reset credentials,
> > enable/disable) other users in the same group; users with this "role"
> would
> > also not be able to see the other users in the realm that are not
> assigned
> > to the group where they have this special permissions. Therefore, the
> > actions of creating and removing users would still be restricted to the
> > manage-users permission that can be set to "user-managers" in the whole
> > realm.
> >
> > During our tests, we noticed the the users that receive the "manage"
> scope
> > permission in a group are able to delete users of the group. Is this the
> > expected behavior? After noticing this, we also thought that they would
> > then be able to create users in the group (if they can remove, why not
> > enabling them to create as well?); however, these users are not able to
> > create other users in the group that they have permission to manage (even
> > when assigning explicitly the group to the user being created). Is this a
> > bug? Or something that is not completely documented?
> >
> > --
> > Rafael Weingärtner
> >
>
>
> --
> Rafael Weingärtner
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list