Hello,
I’m using Keycloak 21.0.1 using the --features=admin-fine-grained-authz flag enabled.
I have the following use case:
I have several groups in a realm:
-
group1
→group1-admin -
group2
→group2-admin
and so on.
Users can be part of any group, but users who are part of the *-admin group should be able to view/manage users from the parent group only.
Now, I understand that this can be done using Permissions and Policies but I don’t quite understand how these should be configured to work properly.
What I did so far:
- create a user and add it to
group1-admin - give this user the following roles:
realm-management: query-usersrealm-management: manage-users
(I would expect the above to be not really needed, since I could assign a “user-manager” role and create a policy)
When the user logs in to the admin console for the specific realm (/admin/my-realm/console/), he has access to ALL the users in the realm, including the one from other groups (group-2, etc.).
Then, I create a Group Policy in the realm-management client (Authorization → Policies) that specifies only users for group-1 group: is-group-1 policy.
That is the part I’m not sure I understand: where shall I use this policy to make sure that only users from group-1 are visible when the user logs in?
I tried to create a “Permission” bound to the “Users” resource and assigned the policy is-group-1 policy but user from group1 is still able to see users from other groups.
Thanks!