Greetings,
I turn to this forum because despite Keycloak being a great product, I am unable to give the users of my realm the roles to only read and edit the users in the Security Admin Console. No matter the combination, they always end up having access to the “Groups” section as well, or can only see the Users in a read-only manner, or even loose total access (denoted with a “Forbidden - You don’t have access to the requested resource”). I tried to combine the following realm-management
roles:
manage-users
view-users
query-users
manage-groups
view-groups
query-groups
impersonation
Is it even possible to achieve? What am I missing?
Thank you in anticipation for any kind of help you will be able to provide me.
Hi, there
It seems that we r in the same boat.
Someone has asked nearly the same question as you, here is the lien
To solve this, we should use Fine Grain Admin Permissions. but sadly it’s still in preview like said in the offical doc.’ Fine Grain Admin Permissions is Technology Preview and is not fully supported. This feature is disabled by default.’
Dedicated Realm Admin Consoles
Each realm has a dedicated Admin Console that can be accessed by going to the url /auth/admin/{realm-name}/console
. Users within that realm can be granted realm management permissions by assigning specific user role mappings.
See: Dedicated Realm Admin Consoles
Fine Grain Admin Permissions
Sometimes roles like manage-realm
or manage-users
are too coarse grained and you want to create restricted admin accounts that have more fine grained permissions.
Fine Grain Admin Permissions is Technology Preview and is not fully supported. This feature is disabled by default.
To enable start the server with:
-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
See: Fine Grain Admin Permissions