Group level administrators assigning client roles

Hi all,

I’ll start by explaining the set up that we’re trying to achieve in my organisation by using Keycloak. Apologies if I’ve misused any of the terminology, we’ve only recently looked at adopting Keycloak :smiley:

We have many different organisations who will be using Keycloak to authenticate against several different web applications that we develop. All these organisations will be authenticating and using the same applications, and they mostly have a distinct set of users. Despite being different organisations, they are all in the same line of work and use the applications we develop in the same way.

We have a mix of multi-tenanted applications and applications that are deployed on separate application containers for each organisation (some of them are old!) - each of the apps have their own way of authenticating and managing users, so we’re trying to centralise all of that in Keycloak.

This led me to believe that a multi-tenanted approach in Keycloak using different realms for distinct organisations is what we need, but I have since changed my mind. One requirement is that our organisation has the ability to authenticate and log in to any of our organisation’s admin sections which means we need the notion of a cross-realm ‘super’ user, I believe this breaks the main principle of realms which is to keep users separate.

Another reason is that even though the realms will have distinct users the majority of the time, this is the only difference between them. All the clients and configuration of our applications will be identical per realm.

Therefore, I started implementing a multi tenanted approach through use of Groups and fine-grained permissions. I’ve almost got it to where I want it apart from one final issue to do with assigning client permissions, which I’m hoping to get some help with.

I have created a group hierarchy as follows:


  • admins
  • staff


  • admins
  • staff

The idea is that the admins have the ability to administrate the staff, but I can’t seem to get client permissions working. In our different client applications, we have different roles depending on the application in question. I have set all these client permissions up in Keycloak.

When an admin user tries to assign a client role to a staff user, the first issue I had was that the clients were not visible in the drop down. I fixed this by assigning ‘view-clients’ to staff group.

Subsequently, the issue is that after clicking on the client, the roles that are set up don’t actually appear, so I can’t assign them to the user. The only way I’ve been able to fix this is by assigning ‘manage-users’ to the admin group, but then that means that my fine-grained permissions break and they can view every user in the realm (rather than just the staff in their group). I would have thought ‘manage-members’, which I have configured in my fine-grained permissions, would have covered client roles too.

All and any feedback on the issue and the general approach is most welcome, thank you.