Currently we have integrated superset with key cloak, we have a requirement to create groups to access the dashboards like as below.
When user 1 login into the superset (through key cloak) he/she should able to see the dashboard 1,2 similarly when user3 login then only dashboard 3 should be visible.
How we can achieve this in superset, what are all the code changes we need to in superset?
Thanks
Related
I want to automatize creating users and adding permissisons. Is it possible in grafana, to dynamicaly adds permission to user based on AD group?
Lets say user inputs his data including AD group he is in, and the app will create folder, and sets read/edit permissions only to users that are in AD group (that can be any group )?
I know you can set viewer/editor/admin roles to people based on AD group in config file, but is it possible to do so dynamicaly, with their http api?
You can set permissions for folders and permissions for dashboards using the Grafana HTTP API:
Folder Permissions API
Dashboard Permissions API
The logic, what permission should be set for which user, needs to be determined in your code (e.g. based on the user input you mentioned) before making the request.
We have a system that utilizes different tenants, where users can be part of one or multiple tenants. You can imagine it as one application, where users can switch between the tenants and see assets related to the selected tenantId.
Our exernal KeyCloak adviser proposes to use one realm und reflect different tenants as clients in KeyCloak.
I´ve read on different sources, that it is not adviced to use multi tenancy with one realm, though i am not 100% sure if it applies for our usecase.
Additionaly we will need to have different groups on the same user, depending on the tenantId.
For example a user could have Group A and B on tenant 1 but only Group B on tenant 2. This doesnt seem to be possible out of box with KeyCloak.
Which general approach would you suggest?
Scenerio :
Use Groups for multi tenancy (One user working for different organizations) -
Create one group for each org like group_org1, group_org2 etc.
Provide permissions to above groups using group policy (using confidential client authorization tab). Ex :- group_org1 has permission on resource1 and group_org2 has permission on resource2.
Assign above groups to a user , hence user will have 2 groups and, permission on resource1 & resource1.
Now groups fetched for this user will be used as organizations in application.
When selected org1 then application will work according to the permissions attached to group org1 i.e. permission only on resource1.
Question :
As of now if I try to fetch authorization permissions for a user then keycloak will give me combined permissions attached to both the groups i.e. on resource1 and resource2 . I need to fetch permissions attached to single group using keycloak rest-api. (after fetching this specific permissions I can authorize user in the application for given resource)
Hope I made my question a bit clear.
I am using Keycloak 9.0.3 with a LDAP-user federation, with edit mode = WRITABLE and Import Users = on.
I am developing a spring boot application that should call the Keycloak REST API to create, update, delete users and groups in LDAP. I also created "group-ldap-mapper" in my user federation to map LDAP-Groups to Keycloak-Groups and vise-versa.
My requirement is to create and delete Keycloak-groups via the REST API and they get mapped to groups in LDAP using the mapper above. When my application calls POST /{realm}/groups Keycloak just creates the group in Keycloak-DB and does not synchronise to LDAP unless the group gets assigned to some user. This is actually not a big problem.
The real problem is when my application deletes the group via DELETE /{realm}/groups/{id}. The groups gets deleted from the Keycloak-DB but not from LDAP.
An acceptable workaround would be to call POST /{realm}/user-storage/{parentId}/mappers/{id}/sync which synchronises the Groups and does the job.
The problem in this workaround, that there is no way to get the federation mapper id ({id}) other than hardcoding it in the spring application. There is no REST-Call to retrieve this id programatically.
Any idea how to solve this?
I figured out how to find the ids of the federation and the group-ldap-mapper programatically to use them in the call POST /{realm}/user-storage/{parentId}/mappers/{id}/sync.
One can call GET /{realm}/components. This returns among other things federation and mappers. In my case I could find the federation id from the UserRepresentation and then I used it to filter the components (parent={federation id}). According to documentation there is also a type Query, but I could not figure out the right value.
I have configured Keycloak with user self-registration. The keycloak instance will hold users of multiple customers which I plan to put into groups (so each customer can have admins that can manage these users through fine-grained permissions).
To map users that are self-registering to appropriate groups (using their email address, e.g.) I'd like to put them in their default group upon registering. Is this possible using either configuration or implementing an SPI? Or are there other possibilities to achieve a similar behavior?