KeyCloak restricting user management to certain groups while enabling 'manage-users'

Asked 31/7, 2018 at 15:16 Answered 27/5, 2019 at 11:26

Using the KeyCloak admin console, I am attempting to enact the following use-case.

We have Group X and Group Y.

The role 'Group X Admin' can do the following:

Can create users without a group.
Can assign users without a group to group X.
Can edit and manage users in group X.
Cannot see/edit/manage users in group Y.

It seems that in order to fulfill case 1, I must make 'Group X Admin' a composite role linked to the 'manage-users' role from the realm-management client. However, upon doing this, the 'Group X Admin' now has permission to view/manage/edit group Y users.

It seems I cannot restrict access to group Y as fine-grained permissions seem to completely overridden by the manage-users role.

Is there a way to grant permissions to Add Users while restricting access to certain groups?

Shamus answered 31/7, 2018 at 15:16 Comment(1)

Did you find a way to configure items 3 and 4? – Behr 26/12, 2019 at 17:25

You should have a look at Fine Grain Admin Permissions. It's still in preview (so no support from RedHat) but it's the kind of functionality you are looking for.

I certainly have tested a setup that would fulfill items 3 and 4. The description in chapter 11.3.2 Restrict User Role Mapping should get you sufficiently close to item 2. Item 1 probably needs somewhat more investigation. I can't tell you if it's doable.

Even though Fine Grain Admin Permission is quite powerful, we came to the conclusion that it's not sufficient for our requirements. So we discarded it and went with a different solution (a privileged service in front of Keycloak for delegated user administration).

Update

Some instructions how to set it up:

Enable preview profile (in Keycloak startup script)
Enable permissions on client Realm-management (Clients / Realm-Management / Permissions / Permissions Enabled)
Create a group x-users
Create a group x-admins
Enable permissions on group x-users (Groups / X / Permissions / Permissions Enabled)
Click view-members (on the same page) and add a group policy:
- Scopes: view-members
- Apply Policy: Create Policy... / Group
- Enter name, e.g. x-admin-policy
- Enter description
- Groups: select group x-admins
- Save
- Repeat for manage-members

Milagro answered 27/5, 2019 at 11:26 Comment(8)

Codo - Can you please share how did you configure it in order to fulfill items 3 and 4? This is exactly something that we are looking for! – Behr 26/12, 2019 at 17:19

@kmualem: I've added some instructions above – Milagro 6/1, 2020 at 9:15

@Milagro . I have a similar problem described in the keycloak forum here : keycloak.discourse.group/t/non-modifiable-view-only-admin/6571 and it seems that "Fine Grain Admin Permission" is not sufficient for my case either. Can you describe your solution "a privileged service in front of keycloak for delegated user administration" in more details to check if it suits my requirements ? – Coercion 29/12, 2020 at 10:40

It's an additional web application for user administration. It allows certain users to manage users within their own group. Within Keycloak, they don't have the user management right. The web application executes the actions on their behalf using a technical user with user management rights. Of course, the web application first checks what those users are entitled to. – Milagro 29/12, 2020 at 15:21

@Milagro Did you successfully allowed to create users only within a group ? I followed the steps for manage-members and manage-membership but the "Add user" doesn't appear – Joannejoannes 7/4, 2021 at 8:7

No, we didn't. User creation was the main use case that wasn't doable (and possibly still is). That's why we discarded the Fine Grain Admin approach altogether. – Milagro 7/4, 2021 at 9:3

Also see github.com/keycloak/keycloak/pull/6667:

Adding an explicit create-user-in-group seems like the way to go. The implicit approach taken in the PR we have open seems like you won't have the option to differentiate if someone can just add members to the group, or if they can also create new users.

– Up 26/1, 2022 at 14:26

I got confused at the "Apply Policy: Create Policy... / Group" step. I had to go to the realm client, select the policies tab, create a policy, add the admin group to the policy, and then go back to the group permission and add that policy to it. I'm using Keycloak v20. – Kagoshima 12/1, 2023 at 20:29

seems like there is no way in current admin console :(. I also went through documentation (and even through source code ;) ) and did not find a way. Maybe better create a request in keycloak jira project. by the way i also was looking to solve exact the same problem. Actually there is a jira ticket about documenting the fine grained permissions to admin console. https://issues.jboss.org/browse/KEYCLOAK-3444 maybe you can post your comment there or open new story

Cenis answered 24/8, 2018 at 7:15 Comment(0)

Recommended topics

Hot tags