[keycloak-user] Doubts regarding fine grained permission on groups

Fri Apr 5 09:25:17 EDT 2019

Thanks for the clarification.

On Fri, Apr 5, 2019 at 10:15 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> That is some to discuss. Right now, I think that group admins can delete
> *and* create users. IIRC, the issue here is that the "create" button is
> only shown if you have the "manage-users" role which conflicts with the
> permissioning model provided by the fine-grained admin permissions.
>
> On Fri, Apr 5, 2019 at 9:48 AM Rafael Weingärtner <
> rafaelweingartner at gmail.com> wrote:
>
>> Thanks for the feedback Pedro!
>> Sure, I will do that. However, just to make sure I understood. The
>> ability to delete users accounts for the "group admin" users is considered
>> a bug, and will be removed/addressed in the upcoming release. Is that
>> correct?
>>
>> On Fri, Apr 5, 2019 at 9:45 AM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi Rafael,
>>>
>>> Yeah, this is how it was implement. I understand your point and this is
>>> one of the things that we need to review in regards to fine-grained
>>> permissions in admin console.
>>>
>>> We have a few open JIRAs that we are looking forward to work in the
>>> future. Could you please file a new JIRA for this problem in particular ?
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>>
>>> On Fri, Apr 5, 2019 at 9:28 AM Rafael Weingärtner <
>>> rafaelweingartner at gmail.com> wrote:
>>>
>>>> Hello volks,
>>>> Any takers here? it would be very helpful to have feedback regarding the
>>>> intended design before checking the code to confirm these features.
>>>>
>>>> On Wed, Apr 3, 2019 at 9:49 AM Rafael Weingärtner <
>>>> rafaelweingartner at gmail.com> wrote:
>>>>
>>>> > Hello Keycloak community,
>>>> > We seem to have stumbled across a feature that we do not fully
>>>> understand
>>>> > (after reading and re-reading, and testing). Could somebody help to
>>>> clarify
>>>> > the design of this feature?
>>>> >
>>>> > When enabling fine grained group permissions, we see the option to
>>>> assign
>>>> > the scope "manage" to users in specific groups. According to our
>>>> > understand, this scope would allow us to create the "role" of users
>>>> > ("group-admins") to manage (update user information, reset
>>>> credentials,
>>>> > enable/disable) other users in the same group; users with this "role"
>>>> would
>>>> > also not be able to see the other users in the realm that are not
>>>> assigned
>>>> > to the group where they have this special permissions. Therefore, the
>>>> > actions of creating and removing users would still be restricted to
>>>> the
>>>> > manage-users permission that can be set to "user-managers" in the
>>>> whole
>>>> > realm.
>>>> >
>>>> > During our tests, we noticed the the users that receive the "manage"
>>>> scope
>>>> > permission in a group are able to delete users of the group. Is this
>>>> the
>>>> > expected behavior? After noticing this, we also thought that they
>>>> would
>>>> > then be able to create users in the group (if they can remove, why not
>>>> > enabling them to create as well?); however, these users are not able
>>>> to
>>>> > create other users in the group that they have permission to manage
>>>> (even
>>>> > when assigning explicitly the group to the user being created). Is
>>>> this a
>>>> > bug? Or something that is not completely documented?
>>>> >
>>>> > --
>>>> > Rafael Weingärtner
>>>> >
>>>>
>>>>
>>>> --
>>>> Rafael Weingärtner
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>
>> --
>> Rafael Weingärtner
>>
>

-- 
Rafael Weingärtner