Is there any way to restrict the access to the keycloak admin console at the level of groups or user roles? The way of restriction by ip (and undertow filter to block external access), unfortunately, does not quite suit me. I will be very grateful for any advice!
I tried to create roles for security-admin-console and realm-management clients, but it didn't work, all the users still have access to admin console.
It turned out, that the problem was because of realms' default groups. I checked them out and there was admin role by default in all the realms' default groups. For this reason, all imported from a third-party idp users had the admin role by default and had access to the admin console.
Related
Is it possible in keycloak to prevent the account client from logging in a specific user? I have a user that is only supposed to log in via the admin-cli endpoints, but it is in the same realm as the account client.
You can try to remove the
default-roles-<realm-name> role
for this user. This will remove the effective roles for the account client role
I'm trying to create a user in Keycloak admin console, but it has effective roles that should not be there. In addition to default realm roles, each user, when created, has odd Effective Roles. And I can't understand, where they come from. Even when I delete all assigned roles, effective roles just stay there.
This does not happen usually, seems like a problem with your Keycloak setup and installation.
Have you checked the default roles at realm level? Roles shown in screenshot belong to realm-management client.
If you are using master realm, I'd suggest you to create a new realm other than master and use it.
Keycloak provides some built-in roles to manage keycloak itself. These roles are defined in the realm-management client of every non-master realm. As example, I can define a user which has the permissions to manage users. But now this user can change all the roles of all the users. The user can even change the role of itself.
In our application we need a hierarchical role structure in the following way. We have a root, admin and some other specific application roles. The root role should be able to manage the keycloak customer realm as also some application specific functionality. The admin role should have the permissions to manage users and also some application specific functionality.
I have tried to model that in keycloak the following way. I have two realm roles root and admin as also some client (my-app) roles root, admin, edit and view. The realm roles are composite roles which use their counterpart in the client (root -> may-app.root, admin -> my-app.admin).
Now, the issues is that the admin user can change it's role to root. How can I restrict the permissions of the admin user to allow only to manage user or roles that are on the same level or below? Is their such built-in functionality or should I provide my own UI on top of the Keycloak REST API?
KeyCloak question for everyone.
Is it possible to disable impersonation of a group (for example, an admin group), or for a realm (the admin management console)?
Thx
You can assign impersonation role for a user from Client Roles of the realm.
Each realm has a built-in client called realm-management. This client defines client-level roles that specify permissions that can be granted to manage the realm.
You can find more on available roles from Keycloak docs
Once you remove impersonation client-level role for your realm , it is not available for all users of the realm.
I configured LDAP as User Federation (with role-ldap-mapper) and successfully imported users with their roles to Keycloak.
When I go to Users->{user}->Role Mappings I see every roles that are signed to a user (imported from LDAP), but when I go to Roles->{role}->Users In Role I see nothing.
Is it a bug or a feature? Or maybe I configure something wrong?
Users roles
Empty Users in Roles
LDPA Role mapper configuration
I faced the same issue. I changed the Mode (inside LDAP role mapper) to Import instead of READ_ONLY and I was able to see users under a role.
Please create mapper of type msad-lds-user-account-control-mapper.
It works for me.