i need to use keycloak and satisfy the following requirements
- I need a new user , lets name him viewOnlyAdmin, that can view everything and modify nothing
- existing admin user (or a newly created newAdmin in his place) must be able to do anything except from modifying viewOnlyAdmin
we can create a new user viewOnlyAdmin in master realm and assign him only view and query roles
viewOnlyAdmin can now view everything and modify nothing. The problem is that viewOnlyAdmin cannot see newly created realms. I have to explicitly give him view rights for the new realms
Lets say that this problem can be tolerated. We can say that all realms we will be created in the beginning and viewOnlyAdmin will be given view rights to all of them. This can be done by creating a new role “view-realms” and add all view and query roles for all new realms
But for 2 , it seems that it is not possible to do this even with “Fine grain permissions”
Maybe this is because of this restriction :
“Fine grain permissions are used to grant additional permissions. You cannot override the default behavior of the built in admin roles”
If i move viewOnlyAdmin to a new realm in order to satisfy requirement 2 , by restricting newadmin access to this realm, viewOnlyAdmin cannot access other realms not even with fine grain permissions , possibly due to this restriction :
“Fine grain permissions are only available within dedicated admin consoles and admins defined within those realms. You cannot define cross-realm fine grain permissions.”
So it seems that it is not possible in keycloak to satisfy these requirements.
Am i missing something?
Can you think of a workaround that could do it ?