Hi,
I would like to create group with specific permissions/roles:
- member of this group could add/edit/delete any user of realm
- member of this group could assign any user to any group
- member of this group could NOT assign any role to any group or to any user
- member of this group could NOT create new groups
This is what I tried with keycloak 15.0.2. I assigned all user’s permissions to new group and assigned ‘query-users’ and ‘query-groups’ roles to this group. So member of this group:
- could edit/delete any user of realm
- could NOT assign any role to any group or to any user
However member of this group could NOT assign any user to any group and could NOT add a new user because button save is not available on add user UI.
The group’s permissions don’t help me so I assigned additional role ‘manage-users’ to this group. The member of this group may do everything what I need but it could assign realm role to group and to user and it could create a new group.
I have two questions:
- is it possible to block realm roles selector via permissions/roles?
- is it possible to block creation of groups via permissions/roles?