KeyCloak restricting user management to certain groups while enabling 'manage-users'

5
votes

Using the KeyCloak admin console, I am attempting to enact the following use-case.

We have Group X and Group Y.

The role 'Group X Admin' can do the following:

  1. Can create users without a group.
  2. Can assign users without a group to group X.
  3. Can edit and manage users in group X.
  4. Cannot see/edit/manage users in group Y.

It seems that in order to fulfill case 1, I must make 'Group X Admin' a composite role linked to the 'manage-users' role from the realm-management client. However, upon doing this, the 'Group X Admin' now has permission to view/manage/edit group Y users.

It seems I cannot restrict access to group Y as fine-grained permissions seem to completely overridden by the manage-users role.

Is there a way to grant permissions to Add Users while restricting access to certain groups?

2
keycloakkeycloak-services
Did you find a way to configure items 3 and 4?kmualem

2 Answers

7
votes

You should have a look at Fine Grain Admin Permissions. It's still in preview (so no support from RedHat) but it's the kind of functionality you are looking for.

I certainly have tested a setup that would fulfill items 3 and 4. The description in chapter 11.3.2 Restrict User Role Mapping should get you sufficiently close to item 2. Item 1 probably needs somewhat more investigation. I can't tell you if it's doable.

Even though Fine Grain Admin Permission is quite powerful, we came to the conclusion that it's not sufficient for our requirements. So we discarded it and went with a different solution (a privileged service in front of Keycloak for delegated user administration).

Update

Some instructions how to set it up:

  • Enable preview profile (in Keycloak startup script)
  • Enable permissions on client Realm-management (Clients / Realm-Management / Permissions / Permissions Enabled)
  • Create a group x-users
  • Create a group x-admins
  • Enable permissions on group x-users (Groups / X / Permissions / Permissions Enabled)
  • Click view-members (on the same page) and add a group policy:
    • Scopes: view-members
    • Apply Policy: Create Policy... / Group
    • Enter name, e.g. x-admin-policy
    • Enter description
    • Groups: select group x-admins
    • Save
    • Repeat for manage-members
0
votes

seems like there is no way in current admin console :(. I also went through documentation (and even through source code ;) ) and did not find a way. Maybe better create a request in keycloak jira project. by the way i also was looking to solve exact the same problem. Actually there is a jira ticket about documenting the fine grained permissions to admin console. https://issues.jboss.org/browse/KEYCLOAK-3444 maybe you can post your comment there or open new story