I’m using Keycloak 21.0.1 using the
--features=admin-fine-grained-authz flag enabled.
I have the following use case:
I have several groups in a realm:
and so on.
Users can be part of any group, but users who are part of the
*-admin group should be able to view/manage users from the parent group only.
Now, I understand that this can be done using
Policies but I don’t quite understand how these should be configured to work properly.
What I did so far:
- create a user and add it to
- give this user the following roles:
(I would expect the above to be not really needed, since I could assign a “user-manager” role and create a policy)
When the user logs in to the admin console for the specific realm (
/admin/my-realm/console/), he has access to ALL the users in the realm, including the one from other groups (
Then, I create a Group Policy in the
realm-management client (Authorization → Policies) that specifies only users for
That is the part I’m not sure I understand: where shall I use this policy to make sure that only users from
group-1 are visible when the user logs in?
I tried to create a “Permission” bound to the “Users” resource and assigned the policy
is-group-1 policy but user from group1 is still able to see users from other groups.