[keycloak-user] Give access to his account to a client

Michal Hajas mhajas at redhat.com
Fri Mar 8 04:55:56 EST 2019


Hi Francois,

first of all, please make sure you are using the latest version of
Keycloak. In upstream there was recently a bugfix [1] which may relate to
your issue.

I tried to follow your steps and it worked for me, so please check that
group policy is correctly assigned to manage permission in Permissions tab
and also check whether user really belongs to admin group.

If you are sure that everything is set correctly and you are still not able
to make it work, feel free to send me your realm exported to json and I can
look at it. [2]

My settings:
 I created client1 & client2 and user1 & user2 (passwords: pass).

- User1 is able to manage client1 because he is part of admin group and
Client1 has configured admin-group-membership policy.
- User2 is able to manage Client1 because he is also part of admin-group
and Client2 because it is configured with User policy which permits User2
to manage it.

Best regards,
Michal Hajas

[1] https://issues.jboss.org/browse/KEYCLOAK-9489
[2]
https://www.keycloak.org/docs/latest/server_admin/index.html#_export_import

On Thu, Mar 7, 2019 at 6:09 PM François Gourrier <
francois.gourrier at libre-logic.fr> wrote:

> Hello everyone,
>
> i find the anwser by myself to my question.
>
> I followed the instructions given for "fine grained permissions" here:
> https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions
>
> But I do not have the expected result.
>
> Here is my configuration :
>
>  - I created a group "admin" and gave it the role "query-client" on the
> client "realm-management" of the kingdom concerned
>  - For the client "Test" for which I wish to give access (for management)
> to a dedicated user, I created a policy with the right to manage for the
> group concerned "admin", via the "permissions" tab.
>  - I added the relevant user "Test" in this group "admin.
>
> And the result is: "Forbidden.You do not have access to the requested
> resource" ...
>
> If I add the role "view-ream" to the group "admin" on the client
> "realm-management" of the kingdom concerned, it's OK, but the user "test"
> also reads the whole configuration of the kingdom, which is not desirable.
>
> Did I miss something?
>
> thank you in advance
>
> ----- Mail original -----
> De: "Francois Gourrier" <francois.gourrier at libre-logic.fr>
> À: keycloak-user at lists.jboss.org
> Envoyé: Mercredi 27 Février 2019 15:59:33
> Objet: [keycloak-user] Give access to his account to a client
>
> Hello everyone,
>
> we are currently using keycloak. We created several clients on a realm. To
> simplify the management of URIs, we would like to give the management of
> his account to each client.
>
> T he REST API allows to modify the account but it is not necessary that a
> customer can go to see the configuration of the other customers, which is
> nevertheless possible if he has the rights of access to the service (unless
> one can restrict access to a client).
>
> Another track would be that a customer connects to his account via the
> back office.
>
> A track to meet the need?
>
> Thank you in advance.
>
> François GOURRIER
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list