We are working with keycloak, In our application, we have different organizations and we created different realms for each organization in keycloak too.
Our requirement is each realm admin need to manage their users and roles (create the user and assign roles etc), but role creation should be restricted. Is there any possible solution to do this?
Please let know the answers to flowing questions,
1 Is there any possibility to inherit/share/copy the User Federation from the Master realm to any other? if not then what is the best practice to handle these types of requirements.
2 Is any options to disable some administration for realms (for Example, role creation need to block from realms except master)
Please see some similar questions
Inherit/Share User Federation in Keycloak
https://keycloak.discourse.group/t/shared-realms-configuration/3642
Thank you
Related
We have a system that utilizes different tenants, where users can be part of one or multiple tenants. You can imagine it as one application, where users can switch between the tenants and see assets related to the selected tenantId.
Our exernal KeyCloak adviser proposes to use one realm und reflect different tenants as clients in KeyCloak.
I´ve read on different sources, that it is not adviced to use multi tenancy with one realm, though i am not 100% sure if it applies for our usecase.
Additionaly we will need to have different groups on the same user, depending on the tenantId.
For example a user could have Group A and B on tenant 1 but only Group B on tenant 2. This doesnt seem to be possible out of box with KeyCloak.
Which general approach would you suggest?
I scrolled through the documentation of KeyCloak and also set it on my machine to explore.
I also explored fine-grained permissions however I didn't get much detail in documentation around the n-level of nested hierarchies.
Here https://www.keycloak.org/docs/latest/server_admin/ this talks about limiting an admin user to particular client management, however, I want certain users, within the client, to be able to create accounts but with scopes and attributes limited to what's assigned to themselves.
For an example:
For a client(ERP>Transactions) we want to create an Org(our customer) Admin who in return will create teams and team admins. Team admins shall be able to invite their teammates in there.
Now I just want to know if only Keycloak can be used to make sure a user in one Org shouldn't be able to create a user in some other org, in the same way, a team admin shouldn't be able to onboard/invite a user in some other team.
Because if Keycloak in principle can't handle this, our team will start writing custom logic in our application code base for this.
I need to implement user hierarchy using keycloak and I was wondering if someone has done it before or perhaps can give me some pointers on different ways.
In our scenario we have
single application to protect with open-id connect
1 single super-admin ( realm admin)
many team admins ( created by the super admin ) who can only administer users who belong to the same team as themselves
ordenary users who belong to a given team and created by the team admin
Is there a way to achieve this using keycloak's authorization?
Shall I build a Custom REST endpoint in keycloak to implement this?
Shall I create groups / team perhaps ?
I am not sure what is the easiest route. I would like implement the easiest solution.
I have developed a web application with following architecture:
Frontend : Angular 6
Backend : Java REST APIs with Springboot
I want to add authentication and authorization to it. For that I'm looking for some open source application (e.g. KeyCloak, Gluu etc.). I would like to know in which tool the below scenarios are supported.
There will be predefined set of Activities on UI (e.g. Add, Edit,
Delete etc)
There will be predefined Access Levels (e.g. Read, Write, No Access)
I should be able to create Roles, then assign activities and access levels to those roles and assign those roles to user.
Can you please help me to find out a tool which supports my above scenario?
I tried something for KeyCloak, but i couldn't find a way to add activities, access levels and map roles to it. I think everything there is governed by Role only.
I just realized that I need Activity based authorization and not Role based authorization. Please help me find some tool for that.
I'm not sure what is meant by activity based authorization but i suspect you actually mean permission based authorization, in example: Grant permissions to users to perform certain actions.
Shiro offers you permissions and role based authorization out of the box.
You can create roles, add permissions to these roles and assign them to a user. Supported are implicit and explicit roles, whereas one role can hold any number of permissions. You can even work with wildcards and group the permissions.
For more information you should take a look at the official Shiro entry and especially the web documentation for your project in particular. Shiro offers full support for Spring-Boot applications, you can find a HowTo here.
Shiro fully supports your described scenario.
I am keycloak freshman.
I want to create a fairly simple groups-based access control system using Keycloak's authorizaion system.
I try to config a groups-based policy but failure,my step as following:
1.Creating a group name of "user",
2.Configing resource,scope and so on
3.Setting policies as Group-base policy,but in this step ,this is something confused about me "Groups Claim",the description of "Groups Claim" is :
"A claim to use as the source for users group. If the claim is present it must be an array of strings".
follow this description i configed the "[user]" in this field.
Is there something wrong with me configuration?
Could someone can give me some guidance?
Thanks.
Usually with keycloak you are doing authorization by using roles. Groups then can be utilized to associate roles to multiple users (the users of the groups).
If you need more fine-grained authorization capabilities than roles, you can have a look at keycloak's authorization sub-system with resources, permissions, policies and authorization scopes.
But for simplicity I recommend starting with roles.