[keycloak-user] Doubts regarding fine grained permission on groups

Pedro Igor Silva psilva at redhat.com
Fri Apr 5 09:15:19 EDT 2019


That is some to discuss. Right now, I think that group admins can delete
*and* create users. IIRC, the issue here is that the "create" button is
only shown if you have the "manage-users" role which conflicts with the
permissioning model provided by the fine-grained admin permissions.

On Fri, Apr 5, 2019 at 9:48 AM Rafael Weingärtner <
rafaelweingartner at gmail.com> wrote:

> Thanks for the feedback Pedro!
> Sure, I will do that. However, just to make sure I understood. The ability
> to delete users accounts for the "group admin" users is considered a bug,
> and will be removed/addressed in the upcoming release. Is that correct?
>
> On Fri, Apr 5, 2019 at 9:45 AM Pedro Igor Silva <psilva at redhat.com> wrote:
>
>> Hi Rafael,
>>
>> Yeah, this is how it was implement. I understand your point and this is
>> one of the things that we need to review in regards to fine-grained
>> permissions in admin console.
>>
>> We have a few open JIRAs that we are looking forward to work in the
>> future. Could you please file a new JIRA for this problem in particular ?
>>
>> Regards.
>> Pedro Igor
>>
>>
>> On Fri, Apr 5, 2019 at 9:28 AM Rafael Weingärtner <
>> rafaelweingartner at gmail.com> wrote:
>>
>>> Hello volks,
>>> Any takers here? it would be very helpful to have feedback regarding the
>>> intended design before checking the code to confirm these features.
>>>
>>> On Wed, Apr 3, 2019 at 9:49 AM Rafael Weingärtner <
>>> rafaelweingartner at gmail.com> wrote:
>>>
>>> > Hello Keycloak community,
>>> > We seem to have stumbled across a feature that we do not fully
>>> understand
>>> > (after reading and re-reading, and testing). Could somebody help to
>>> clarify
>>> > the design of this feature?
>>> >
>>> > When enabling fine grained group permissions, we see the option to
>>> assign
>>> > the scope "manage" to users in specific groups. According to our
>>> > understand, this scope would allow us to create the "role" of users
>>> > ("group-admins") to manage (update user information, reset credentials,
>>> > enable/disable) other users in the same group; users with this "role"
>>> would
>>> > also not be able to see the other users in the realm that are not
>>> assigned
>>> > to the group where they have this special permissions. Therefore, the
>>> > actions of creating and removing users would still be restricted to the
>>> > manage-users permission that can be set to "user-managers" in the whole
>>> > realm.
>>> >
>>> > During our tests, we noticed the the users that receive the "manage"
>>> scope
>>> > permission in a group are able to delete users of the group. Is this
>>> the
>>> > expected behavior? After noticing this, we also thought that they would
>>> > then be able to create users in the group (if they can remove, why not
>>> > enabling them to create as well?); however, these users are not able to
>>> > create other users in the group that they have permission to manage
>>> (even
>>> > when assigning explicitly the group to the user being created). Is
>>> this a
>>> > bug? Or something that is not completely documented?
>>> >
>>> > --
>>> > Rafael Weingärtner
>>> >
>>>
>>>
>>> --
>>> Rafael Weingärtner
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
> --
> Rafael Weingärtner
>


More information about the keycloak-user mailing list