[keycloak-user] realm-management client role "view-realm" needed to view/edit a user?

Thu Jul 18 02:49:44 EDT 2019

Hi,

No "manage-users" and "query-users" is not enough, I get a "Forbidden" in this case. When I click on a user on the admin ui a request on "auth/admin/realms/{realm}/authentication/required-actions" is fired up and returns a 403 Forbidden. Before this request there is actually a GET request on the users which returns the user data. Anyways on the UI a "Forbidden" is shown. This seems inconvenient.

Best regards
Benjamin Weimer

-----Ursprüngliche Nachricht-----
Von: Ricardo Martin Camarero <rmartinc at redhat.com> 
Gesendet: Mittwoch, 17. Juli 2019 21:30
An: Schuster Sebastian (INST-CSS/BSV-OS2) <Sebastian.Schuster at bosch-si.com>; EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) <external.Benjamin.Weimer at bosch-si.com>; Huw McNamara <huwmcnamara at msn.com>; keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] realm-management client role "view-realm" needed to view/edit a user?

Hi,

I think that in order to edit users you need "manage-users" and "query-users". Try adding "query-users" permission to the administrator (and removing the "view-realm").

Best regards!

On 7/17/19 6:52 PM, Schuster Sebastian (INST-CSS/BSV-OS2) wrote:
> I assume this issue is fixed in 6.0.1 with this PR: 
> https://github.com/keycloak/keycloak/pull/5893/files
>
> Best regards,
> Sebastian
>
> Mit freundlichen Grüßen / Best regards
>
> Dr.-Ing. Sebastian Schuster
>
> Open Source Services (INST-CSS/BSV-OS2) Bosch Software Innovations 
> GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com 
> Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Fax +49 30 
> 726112-100 | Sebastian.Schuster at bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 
> B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: 
> Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: keycloak-user-bounces at lists.jboss.org 
> <keycloak-user-bounces at lists.jboss.org> Im Auftrag von EXTERNAL Weimer 
> Benjamin (TNG, INST-CSS/BSV-OS2)
> Gesendet: Mittwoch, 17. Juli 2019 17:43
> An: Huw McNamara <huwmcnamara at msn.com>; keycloak-user at lists.jboss.org
> Betreff: Re: [keycloak-user] realm-management client role "view-realm" needed to view/edit a user?
>
> Hi Huw,
>
> Thanks for your reply! I added the info to the JIRA ticket.
>
> Best regards
> Benjamin
>
> Von: Huw McNamara <huwmcnamara at msn.com>
> Gesendet: Mittwoch, 17. Juli 2019 17:32
> An: EXTERNAL Weimer Benjamin (TNG, INST-CSS/BSV-OS2) 
> <external.Benjamin.Weimer at bosch-si.com>; keycloak-user at lists.jboss.org
> Betreff: Re: [keycloak-user] realm-management client role "view-realm" needed to view/edit a user?
>
> Hi Benjamin,
>
> There's an open bug for view-realm being needed to access the credentials tab for clients https://issues.jboss.org/browse/KEYCLOAK-10782.
> Maybe they are related and you could add the info to the JIRA ticket? Although fine grain permissions are tech preview.
>
> Thanks,
> Huw
>
> ________________________________
> From: 
> keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lis
> ts.jboss.org> 
> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at li
> sts.jboss.org>> on behalf of EXTERNAL Weimer Benjamin (TNG, 
> INST-CSS/BSV-OS2) 
> <external.Benjamin.Weimer at bosch-si.com<mailto:external.Benjamin.Weimer
> @bosch-si.com>>
> Sent: 17 July 2019 15:39
> To: 
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] realm-management client role "view-realm" needed to view/edit a user?
>
> Hi all,
>
> we are using fine grain permissions in Keycloak to set the rights to edit certain users and have noticed that the roles "manage-users" and "query-realm" of the "realm-management" client are not sufficient to view and edit single users. The "view-realm" role seems to be needed for that. Can you explain me why this role is needed for this action?
>
> Best regards and thanks in advance
> Benjamin Weimer
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user