[keycloak-user] Doubts regarding fine grained permission on groups

Fri Apr 5 09:44:12 EDT 2019

Jira ticket created: https://issues.jboss.org/browse/KEYCLOAK-10000

On Fri, Apr 5, 2019 at 10:25 AM Rafael Weingärtner <
rafaelweingartner at gmail.com> wrote:

> Thanks for the clarification.
>
> On Fri, Apr 5, 2019 at 10:15 AM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> That is some to discuss. Right now, I think that group admins can delete
>> *and* create users. IIRC, the issue here is that the "create" button is
>> only shown if you have the "manage-users" role which conflicts with the
>> permissioning model provided by the fine-grained admin permissions.
>>
>> On Fri, Apr 5, 2019 at 9:48 AM Rafael Weingärtner <
>> rafaelweingartner at gmail.com> wrote:
>>
>>> Thanks for the feedback Pedro!
>>> Sure, I will do that. However, just to make sure I understood. The
>>> ability to delete users accounts for the "group admin" users is considered
>>> a bug, and will be removed/addressed in the upcoming release. Is that
>>> correct?
>>>
>>> On Fri, Apr 5, 2019 at 9:45 AM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Hi Rafael,
>>>>
>>>> Yeah, this is how it was implement. I understand your point and this is
>>>> one of the things that we need to review in regards to fine-grained
>>>> permissions in admin console.
>>>>
>>>> We have a few open JIRAs that we are looking forward to work in the
>>>> future. Could you please file a new JIRA for this problem in particular ?
>>>>
>>>> Regards.
>>>> Pedro Igor
>>>>
>>>>
>>>> On Fri, Apr 5, 2019 at 9:28 AM Rafael Weingärtner <
>>>> rafaelweingartner at gmail.com> wrote:
>>>>
>>>>> Hello volks,
>>>>> Any takers here? it would be very helpful to have feedback regarding
>>>>> the
>>>>> intended design before checking the code to confirm these features.
>>>>>
>>>>> On Wed, Apr 3, 2019 at 9:49 AM Rafael Weingärtner <
>>>>> rafaelweingartner at gmail.com> wrote:
>>>>>
>>>>> > Hello Keycloak community,
>>>>> > We seem to have stumbled across a feature that we do not fully
>>>>> understand
>>>>> > (after reading and re-reading, and testing). Could somebody help to
>>>>> clarify
>>>>> > the design of this feature?
>>>>> >
>>>>> > When enabling fine grained group permissions, we see the option to
>>>>> assign
>>>>> > the scope "manage" to users in specific groups. According to our
>>>>> > understand, this scope would allow us to create the "role" of users
>>>>> > ("group-admins") to manage (update user information, reset
>>>>> credentials,
>>>>> > enable/disable) other users in the same group; users with this
>>>>> "role" would
>>>>> > also not be able to see the other users in the realm that are not
>>>>> assigned
>>>>> > to the group where they have this special permissions. Therefore, the
>>>>> > actions of creating and removing users would still be restricted to
>>>>> the
>>>>> > manage-users permission that can be set to "user-managers" in the
>>>>> whole
>>>>> > realm.
>>>>> >
>>>>> > During our tests, we noticed the the users that receive the "manage"
>>>>> scope
>>>>> > permission in a group are able to delete users of the group. Is this
>>>>> the
>>>>> > expected behavior? After noticing this, we also thought that they
>>>>> would
>>>>> > then be able to create users in the group (if they can remove, why
>>>>> not
>>>>> > enabling them to create as well?); however, these users are not able
>>>>> to
>>>>> > create other users in the group that they have permission to manage
>>>>> (even
>>>>> > when assigning explicitly the group to the user being created). Is
>>>>> this a
>>>>> > bug? Or something that is not completely documented?
>>>>> >
>>>>> > --
>>>>> > Rafael Weingärtner
>>>>> >
>>>>>
>>>>>
>>>>> --
>>>>> Rafael Weingärtner
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>
>>> --
>>> Rafael Weingärtner
>>>
>>
>
> --
> Rafael Weingärtner
>

-- 
Rafael Weingärtner