Documentation (description) of realm roles?

leod · April 29, 2023, 3:54pm

Hi,

I’m looking for the documentation of the default realm roles that we can assign to a client, such as:

“query-realms” “view-clients” “manage-realm” “manage-authorization”

I’m trying to understand what are the permissions associated to each of the possible roles.

Does anyone know if such documentation is available?

xgp · April 29, 2023, 4:20pm

I’m not aware of anything that specifically documents each roles’ permissions. The official documentation just lists them: Server Administration Guide

However, it’s fairly safe (in most cases) that view-* allows you to “see” (i.e. GET) the Keycloak objects indicated by the role and manage-* allows you to “update” (i.e. POST, PUT, DELETE) the objects in the Admin UI and Admin API.

leod · April 29, 2023, 5:50pm

@xgp thanks for the reply.

I was trying to create a user and assign a realm role to the recently created user, via Rest API.

I had the client configured with permissions: manage-users, query-users and view-users.

I was able to create the user but not assign the realm role. It was giving a 403, even when trying to query the role (to get its id).

I’m now using realm-admin, which allows me to create the user and assign the role.

Maybe they could document these roles a bit better, to avoid people getting 403’s and not understanding why.

Thanks for your explanation.

xgp · April 29, 2023, 6:16pm

Thanks for the detail. If you look in the code, it should work with the *-users roles you listed. Were you using the API method like this?

POST /admin/realms/{realm}/users/{userId}/role-mappings/clients/{clientId}

leod · April 29, 2023, 6:38pm

Thanks. I was stuck before that, when I was trying to get the role details:

GET /admin/realms/my-realm/roles/my-role-name

Cracky5457 · November 6, 2024, 12:21pm

Hello

Updating this topic. It would me nice to have a very detailed documention



    view-realm

    view-users

    view-clients

    view-events

    manage-realm

    manage-users

    create-client

    manage-clients

    manage-events

    view-identity-providers

    manage-identity-providers

    impersonation

In my keycloak instance I have also role named

query-users
query-realms
query-groups

This is not in the documentation, is it deprecated and could be remove from realm-management client ?

dasniko · November 6, 2024, 12:48pm

It’s not deprecated, it’s being used by the admin API. Don’t remove these roles.
They are just not documented.

Topic		Replies	Views
What realm specific role is needed to assign role(s) to a user? Securing applications admin-console	0	1440	November 12, 2019
403 Forbidden - Accessing Keycloak APIs Getting advice	3	4014	March 9, 2022
The Realm and client level role restriction Configuring the server	0	29	July 2, 2024
Exposure of Server Configuration Details in Keycloak Admin Interface Getting advice admin-console	0	19	December 10, 2024
Showing Client Roles to users with reduced rights Getting advice	0	275	February 22, 2023

Documentation (description) of realm roles?

Related topics