Clarification: manage-account role and how user can edit their profile data

rcapp · May 2, 2023, 7:07pm

Hello, everyone!

We are in our last steps to implement Keycloak in the real world as our SSO solution. Right now, I’m doing some configuration checkups to limit user’s capabilities with account editing (be theirs or others).

The first question is: What does the manage-account role actually means? What actions does it allow a user to do?

Consider the scenario bellow:

In our rules, we cannot allow a user to alter their e-mail or username, except with a support ticket. We do allow password change from self-login and from people in your user group if you have the correct rights (a temporary password is generated and the update link is sent to this secondary user).

We do not want people to access Keycloak’s account page. Passwords will be reset through UPDATE_PASSWORD trigger links that redirects to KC’s change password page.

Which default roles should be included/set to allow these?

Cheers!

weltonrodrigo · May 3, 2023, 2:51am

User access to the account console is managed via User-Managed Access in the realm settings.

The default rules already allow the user to update the password, but you can disable (or enable) the auto password recovery feature in the realm settings if necessary. This will enable (or disable) the “forgot my password” option in the login form.

Topic		Replies	Views
Disabling Users to edit account details Getting advice account-console	6	2733	September 14, 2022
Give users access to account page Getting advice	4	5111	March 26, 2021
Is there the option of giving users permission to only update their own account via admin REST api? Getting advice admin-rest	2	869	October 26, 2022
Permission denied - account console Getting advice	0	154	February 9, 2024
Manage-users role enables assigning more privileged role to self admin-console	1	70	April 9, 2024

Clarification: manage-account role and how user can edit their profile data

Related Topics