Hello,
I’m using Keycloak 21.0.1 using the --features=admin-fine-grained-authz
flag enabled.
I have the following use case:
I have several groups in a realm:
-
group1
→group1-admin
-
group2
→group2-admin
and so on.
Users can be part of any group, but users who are part of the *-admin
group should be able to view/manage users from the parent group only.
Now, I understand that this can be done using Permissions
and Policies
but I don’t quite understand how these should be configured to work properly.
What I did so far:
- create a user and add it to
group1-admin
- give this user the following roles:
realm-management: query-users
realm-management: manage-users
(I would expect the above to be not really needed, since I could assign a “user-manager” role and create a policy)
When the user logs in to the admin console for the specific realm (/admin/my-realm/console/
), he has access to ALL the users in the realm, including the one from other groups (group-2
, etc.).
Then, I create a Group Policy in the realm-management
client (Authorization → Policies) that specifies only users for group-1
group: is-group-1
policy.
That is the part I’m not sure I understand: where shall I use this policy to make sure that only users from group-1
are visible when the user logs in?
I tried to create a “Permission” bound to the “Users” resource and assigned the policy is-group-1
policy but user from group1 is still able to see users from other groups.
Thanks!