We want to enable Edit username option for a realm but we do not want our users to have any permission for modifying either their username or email in Keycloak account management console.
By default users get permission to edit account details from default role created for every realm with the role manage_account associated with client Account. Only option we found is to remove manage_account role from Client Account. Does it have any other implications apart from disabling users to edit account details or is there a better way since this also disables users access for viewing profile info?
Hi! I’m also interested in this. Have you ever found a solution?
I found that when I remove the manage_acocunt role from users, they have no access to the acocunt management console at all, not even if the view_profile role is assigned.
It looks like accessing account management console requires manage-account role assigned to the users. Another option is to have custom theme for account console. I have implemented first option to remove manage-account default client role from the realm default role, so that all users do not have access to account console. May be in future versions Keycloak provides more fine grained options
There’s a module in feature preview, the declarative_user_profile Server Administration Guide
-Dkeycloak.profile.feature.declarative_user_profile=enabled (before v17) or
ENV KC_FEATURES=(...),declarative-user-profile in the new versions.
With this module enable each field of the user profile can dbe:
- defined (any value not defined wont be stored)
- set as required or not
- set as being visible/editable by admins and or users (so you can say visible to users bot not editable).
Note that the provided features with the module allows automatic forms for registration or some popups associated with login-forms (like a required attribute is missing), but it does not affect the
account application, so you’ll have to edit the theme of the account application and fix the attributes shown in these forms.
@regilero Regarding setting profile attributes as not editable for Users but editable for Admin.Why it does not affect the account application? And where does this setting actually work?
It’s applied, in the back, but the account ‘front’ is not aware of that, as far as I remember. So you’ll have editable forms, but a failing POST.
It tried with 19.0.1 version wit declarative user profiles. Setting a field as editable only for admins works for all fields except Username. For some reason even when i set the field as editable only for admin, it is editable for users, But for other fields this works correctly, for e.g. with error “The field First name is read only.”