What combination of realm-management roles to allow only User reading & editing?

Greetings,

I turn to this forum because despite Keycloak being a great product, I am unable to give the users of my realm the roles to only read and edit the users in the Security Admin Console. No matter the combination, they always end up having access to the “Groups” section as well, or can only see the Users in a read-only manner, or even loose total access (denoted with a “Forbidden - You don’t have access to the requested resource”). I tried to combine the following realm-management roles:

  • manage-users
  • view-users
  • query-users
  • manage-groups
  • view-groups
  • query-groups
  • impersonation

Is it even possible to achieve? What am I missing?

Thank you in anticipation for any kind of help you will be able to provide me.

Hi, there

It seems that we r in the same boat.

Someone has asked nearly the same question as you, here is the lien

To solve this, we should use Fine Grain Admin Permissions. but sadly it’s still in preview like said in the offical doc.’ Fine Grain Admin Permissions is Technology Preview and is not fully supported. This feature is disabled by default.’

Here is Jira about this feature ‘https://issues.redhat.com/browse/KEYCLOAK-3444

Dedicated Realm Admin Consoles

Each realm has a dedicated Admin Console that can be accessed by going to the url /auth/admin/{realm-name}/console . Users within that realm can be granted realm management permissions by assigning specific user role mappings.

See: Dedicated Realm Admin Consoles

Fine Grain Admin Permissions

Sometimes roles like manage-realm or manage-users are too coarse grained and you want to create restricted admin accounts that have more fine grained permissions.

Fine Grain Admin Permissions is Technology Preview and is not fully supported. This feature is disabled by default.

To enable start the server with:

-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled

See: Fine Grain Admin Permissions