User roles not mapped to group in keycloak - keycloak

I have a feature where I am supposed to assign a particular role to a group. Result is such that all the members of the group should be mapped to the role. However the roles dashboard doesn't reflect the group assigned to it. How do I achieve this?

Related

Question about authentication in ActiveMQ Artemis

We have ActiveMQ Artemis 2.26.0 which is configured for Active Directory domain authentication.
When a user is authenticated the role is assigned using group membership (userRoleName="memberOf") or username (userRoleName="sAMAccountName"). Is it possible to grant authorizations using both username and groups to which user belongs to?
Currently I have a login.config which works differently for users in different organizational units of domain:
LDAPLogin {
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule sufficient
debug=true
initialContextFactory="com.sun.jndi.ldap.LdapCtxFactory"
ignorePartialResultException=true
connectionURL="ldaps://domain-controller1:636 ldaps://domain-controller2:636"
connectionUsername="bind_username"
connectionPassword="bind_password"
connectionProtocol="s"
connectionTimeout="5000"
readTimeout="5000"
authentication=simple
userBase="OU=OU_for_application_users,DC=company,DC=tld"
userSearchMatching="(sAMAccountName={0})"
userSearchSubtree=true
userRoleName="sAMAccountName"
;
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule sufficient
debug=true
initialContextFactory="com.sun.jndi.ldap.LdapCtxFactory"
ignorePartialResultException=true
connectionURL="ldaps://domain-controller1:636 ldaps://domain-controller2:636"
connectionUsername="bind_username"
connectionPassword="bind_password"
connectionProtocol="s"
connectionTimeout="5000"
readTimeout="5000"
authentication=simple
userBase="OU=OU_for_team_users,DC=company,DC=tld"
userSearchMatching="(sAMAccountName={0})"
userSearchSubtree=true
userRoleName="memberOf"
roleName="CN"
;
};
User from OU_for_application_users gets one role which is equal to username, and user from OU_for_team_users gets roles from list of groups to which the user belongs to. Technically it is different types of users (special application accounts and personal user accounts).
Is it possible to create a login.config which assigns to user a list of roles which combine username and list of user groups? Or is there any other way to add authorizations which use both username and group of user?
Also I think if it is a good idea. In other brokers, for example IBM MQ, we can configure separate authorizations for users and for groups. In ActiveMQ Artemis we have only one "role" regardless of what it represents - username or group name.
ActiveMQ Artemis supports roles based access control. There is no option to configure authorization based on username.
The configuration of the LDAPLoginModule is limited to userRoleName when assigning roles. However, JAAS login modules are pluggable so you are free to write your own or contribute changes to LDAPLoginModule to support the behavior you want.

Role based system in Tree User Structure

So I am using Node/MongoDB (mongoose) to implement this feature.
What I need is the right solution for the following problem:
We have many Company(ies)
Each Company can create it's own Roles
Role is a set of predefined Permissions (like task.create, task.read, task.update, task.delete)
They can choose which Permissions are included in which Role
Company can create it's own Users, and assign them a Role
Lets say that company created 3 roles (the order matters):
Owner (always predefined, has all Permissions)
Team Leader
SuperAgent
Agent
Beside that, I also have Users in a tree structure, with parent reference which holds the _id of the User above him.
The rules are:
User can have none or many children
User cannot be above someone that have higher role than him
User cannot be below someone that have lower role than him
The Tree can get as deep as they want...
So the right representation of this would be:
But because Company Owner can at any time make new Role, or switch the order of roles, the problem occurs...
Let's say he switched the places of 2 roles, and they are now:
Agent
SuperAgent
How would you update all Users?
Also, what if he creates a new Role, puts it in 3rd place, and now needs to update everyone 1 role below, so he can attach that new role to a user...
What approach would you take to solve this kind of issue?

Is it possible to add different roles to a user in different groups in keycloak?

User-Ankit
He is in two groups named flights and hotels.
In flights,he is a manager
In Hotels,he is a supervisor.
can we assigns these different roles to Ankit in different groups in keycloak?
I think you have to separate the roles to be specific to the group - you'd need a flights-manager role and a separate hotels-manager role and so on.
You can assign roles to a user or group but assigning roles to a group effectively assigns those roles to all the members of the group. I think this is pretty typical.
When you assign roles to the user, you just assign roles to the user and not a user within a group:
There's a thread in the keycloak mailing list where this comes up. Basically groups are just ways of collecting users and not part of the access control structure.
If hotels and flights correspond to apps then you might want to consider whether you could handle them as clients rather than groups but I think you'd still need to have separate sets of roles.

Suite CRM Role management, GM, DM, SR hierarchy

Can you please explain how can i setup the role management and security groups in suiteCRM to achieve this,
Two General Manager, they cannot access the records of other GMs and his team records
Any number of Divisional Managers under GM, they cannot access the records of their own GM, other GMs, and other DM but can access the reports of SR under them.
SR (Sales representative) can access only their own records.
Thanks :)
Try this (not tested)
Create All Security groups for DM. This is the main unit of security.
Assign the GM users to the DM security groups they have access to. No need to create a GM group, just give them access to the groups they need.
Create SR role and set the permissions to own. Assign SR users to this role. This will restrict users in this role to only see their own records.
Create DM role and set the permission to group. Assign DM users to this role. Only one DM role is needed, and ALL of the GM and DM users should belong to it.
Add SR and DM role to all the DM security groups.
The logic is like this
Users who try to access a record will have to go through their Roles First, if its say Own, then that's where the security logic compares the owner of the record.
If the users Roles have a Group setting then User groups will be scanned, and check if the record belongs to someone on those groups. If not access is denied.
So thats it, the Group setting needs to be on each module you want to restrict access to, sadly this is a manual work. Take a look at this image, you can see the different types of access you can grant on a role/action.

Map user role to LDAP group

I have been looking for a while online and can't find how do I map a role to user group in JBoss.
I will be maintaining user groups in LDAP but the roles will be local, so I want to have a way of mapping the role to LDAP group in a static way - in property file or in xml config.