Create-user-only Keycloak role?

3
votes

I'd like to have a user that is limited to managing a group of users and only those users in Keycloak. The idea is he can add users to that group, remove them from the group and also create new users that belong to that group.

I have been unable to figure out how to do the last part. I am able to assign the "manage" role to the user but then he is able to list and manage all users in Keycloak.

I have thought of going the route of several realms (instead of groups) but then I have to have an account in each realm for the same user if he is to manage several realms instead of one single account.

Is there a better way to achieve this setup (Akin a organization setup where a person can belong to several organizations and manage some/all of them, without having to have several accounts)?

I am using Keycloak 4.6

1
roleskeycloakrbac

1 Answers

2
votes

I think what you're looking for is is the manage-members 'Fine Grain Admin Permissions'. A previous version of the keycloak admin guide gave an example of this specific use-case:

You can specify that an admin can only manage the members of a specific group. If you go to a group’s page in the Admin Console you will see a Permissions tab...The manage-members permission allows you to define policies that allow an admin to manage any user that is a member of the group.

The newer guide for 4.6 doesn't cover that specific use-case by explicit example anymore but that permission is still listed so it should still work as before.