[keycloak-user] Doubts regarding fine grained permission on groups

Rafael Weingärtner rafaelweingartner at gmail.com
Fri Apr 5 08:47:58 EDT 2019 

Thanks for the feedback Pedro!
Sure, I will do that. However, just to make sure I understood. The ability
to delete users accounts for the "group admin" users is considered a bug,
and will be removed/addressed in the upcoming release. Is that correct?

On Fri, Apr 5, 2019 at 9:45 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi Rafael,
>
> Yeah, this is how it was implement. I understand your point and this is
> one of the things that we need to review in regards to fine-grained
> permissions in admin console.
>
> We have a few open JIRAs that we are looking forward to work in the
> future. Could you please file a new JIRA for this problem in particular ?
>
> Regards.
> Pedro Igor
>
>
> On Fri, Apr 5, 2019 at 9:28 AM Rafael Weingärtner <
> rafaelweingartner at gmail.com> wrote:
>
>> Hello volks,
>> Any takers here? it would be very helpful to have feedback regarding the
>> intended design before checking the code to confirm these features.
>>
>> On Wed, Apr 3, 2019 at 9:49 AM Rafael Weingärtner <
>> rafaelweingartner at gmail.com> wrote:
>>
>> > Hello Keycloak community,
>> > We seem to have stumbled across a feature that we do not fully
>> understand
>> > (after reading and re-reading, and testing). Could somebody help to
>> clarify
>> > the design of this feature?
>> >
>> > When enabling fine grained group permissions, we see the option to
>> assign
>> > the scope "manage" to users in specific groups. According to our
>> > understand, this scope would allow us to create the "role" of users
>> > ("group-admins") to manage (update user information, reset credentials,
>> > enable/disable) other users in the same group; users with this "role"
>> would
>> > also not be able to see the other users in the realm that are not
>> assigned
>> > to the group where they have this special permissions. Therefore, the
>> > actions of creating and removing users would still be restricted to the
>> > manage-users permission that can be set to "user-managers" in the whole
>> > realm.
>> >
>> > During our tests, we noticed the the users that receive the "manage"
>> scope
>> > permission in a group are able to delete users of the group. Is this the
>> > expected behavior? After noticing this, we also thought that they would
>> > then be able to create users in the group (if they can remove, why not
>> > enabling them to create as well?); however, these users are not able to
>> > create other users in the group that they have permission to manage
>> (even
>> > when assigning explicitly the group to the user being created). Is this
>> a
>> > bug? Or something that is not completely documented?
>> >
>> > --
>> > Rafael Weingärtner
>> >
>>
>>
>> --
>> Rafael Weingärtner
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Rafael Weingärtner

More information about the keycloak-user mailing list