Best approach for company admin with users

We have several thousand companies,
every company should have on admin user who can create/delete/edit other users of the company an only them.
It should be callable via REST API

These are the solutions I got currently in mind

  • Every company is a client, pretty straighfoward but with a lot of clients - Is this a problem, maybe 20000 ?
  • Every company has its own admin role and user role i.E. companyname-admin - Problem: A lot of roles, doesn’t feel right
  • Every company has a group; this solution requires group policies which cannot be called via REST as far as I know.
    Even if you do in the admin console its quiet complicated

It all sounds like a very common setup, so what would be the best approach. Am I missing something.

Torsten

1 Like

If the users of these 2000 companies have nothing to do with each other then, simply think of taking a company as a different realm and so you’ll end up with 2000 realms and atleast 2000 admin users, one of each realm managing it’s own realm users. If you go with 2000 clients with one realm and if you meant companies that has nothing related each other then you will end up in big mess soon

I’m guessing you have some sort of SaaS solution. Have you considered allowing customers to bring their own users through identity brokering? That allows customers to quickly and easily allow any user in the company to login to your solution rather than requiring them to re-create user accounts within your solution. We are planning in the future to add support for identity-first login, where it would be possible to automatically redirect to an IdP for a given email domain. I.e. any user with @mydomain.com would redirect to https://idp.mydomain.com to authenticate in their own IdP rather than in Keycloak directly.

Second option would be groups and fine-grained admin permissions. Also, consider if you want company admins to access the Keycloak Admin Console to manage the users or if you would like to create a bespoke user management app, which would then use Keycloak Admin REST.

1 Like

Hi Stian, thank you for your answer. Unfortunately identity brokering is not an option at least not for all the customers.
I think we have to stick to the fine grained approach then, since we have a dedicated Frontend and don’t want the customer to use the admin console.
I did not find any REST API documentation concerning fine grain permissions or policies.
You sound like there is an API, is there a documentation for it?

I would consider identity brokering support for customers where this is an option as that would be a value-add for your customers.

Fine-grained is not a REST API, but rather a way to manage access to Admin REST API/console in a fine-grained way. Take a look at https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions

1 Like

yes identity brokering ist definitely a very nice option we will consider.
I just want to make sure I can add fine grain permissions via the REST API. i.E when creating a new group for a company I need an endpoint to add these permissions to the group or add policies to the group, add user to the policy, etc.
This is something I haven’t found in the docs or is there an other way to go.

I would consider supporting brokering for those customers that can use that, as it will be much easier for both you and them.

For the rest fine-grained permissions is not an API, but rather a way to provide more fine-grained access to admin endpoints/console. Take a look at https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions for more details.

You may also consider to creating your own applications to allow your customers to manage their users rather than pointing them to the Keycloak admin console. In this case you can create your own user management app that will rely on groups in Keycloak to only allow customers to manage specific groups. That may be the ideal way as you can hide a lot of the complexity behind your custom application.

okay but sooner or later I have to give the group admin a manage-account role which enables him to edit all users, since there are no restrictions for groups.

manage-account only allows managing the users own account, and won’t give permissions to add roles or groups. I assume you are actually talking about manage-users? Can’t quite remember how the fine-grained permissions work, but you should be able to only allow a user to manage users within a specific group.