I just started using keycloak for my spring project. I have been trying to make a multi-tenant approach using group-based policy but unsuccessful. The user is still able to access a client that are not in the allowed groups of group-based policy.
User1 (group1)
User2 (group2)
Client1 = accessible by group1
Client2 = accessible by group2
User2 shouldn't be able to access Client1.
Here's how I did it.
Created a group-based policy in Client1.
Created a new permission in Client1 with group1 only policy.
With this setup I shouldn't be able to access the Client1 with User2 user.
Do not misuse groups as tenants, use realms as tenants.
Related
Is it possible in keycloak to prevent the account client from logging in a specific user? I have a user that is only supposed to log in via the admin-cli endpoints, but it is in the same realm as the account client.
You can try to remove the
default-roles-<realm-name> role
for this user. This will remove the effective roles for the account client role
Is there any way to restrict the access to the keycloak admin console at the level of groups or user roles? The way of restriction by ip (and undertow filter to block external access), unfortunately, does not quite suit me. I will be very grateful for any advice!
I tried to create roles for security-admin-console and realm-management clients, but it didn't work, all the users still have access to admin console.
It turned out, that the problem was because of realms' default groups. I checked them out and there was admin role by default in all the realms' default groups. For this reason, all imported from a third-party idp users had the admin role by default and had access to the admin console.
I've just integrated keycloak with jBPM. Now I can login to jBPM console with keycloak user's credentials and get related roles.
I created some User Groups in keyClock console and mapped some users along with those
User Groups in keyClock console. But I don't have any User Groups in jBPM that I mapped to my user in Keycloak console.
I have created (BPM) process with human task assigned to User Group (entered name of User Group created in Keycloak). This task was unavailable for the user that had this User Group in keycloak mapping.
How to map users to a group using keyCloak that reflects in jBPM?
Actually a role in Keycloak is a group in jBPM.
Create roles in keyCloak (desired user groups in jBPM) and assign those roles to users.
Now processes for specified User Groups (in jBPM) will be visible to users with corresponding roles in keyCloak server.
Note : You may need to create a default role user in keyCloak server that will be mapped to default jBPM user role.
Keycloak provides some built-in roles to manage keycloak itself. These roles are defined in the realm-management client of every non-master realm. As example, I can define a user which has the permissions to manage users. But now this user can change all the roles of all the users. The user can even change the role of itself.
In our application we need a hierarchical role structure in the following way. We have a root, admin and some other specific application roles. The root role should be able to manage the keycloak customer realm as also some application specific functionality. The admin role should have the permissions to manage users and also some application specific functionality.
I have tried to model that in keycloak the following way. I have two realm roles root and admin as also some client (my-app) roles root, admin, edit and view. The realm roles are composite roles which use their counterpart in the client (root -> may-app.root, admin -> my-app.admin).
Now, the issues is that the admin user can change it's role to root. How can I restrict the permissions of the admin user to allow only to manage user or roles that are on the same level or below? Is their such built-in functionality or should I provide my own UI on top of the Keycloak REST API?
KeyCloak question for everyone.
Is it possible to disable impersonation of a group (for example, an admin group), or for a realm (the admin management console)?
Thx
You can assign impersonation role for a user from Client Roles of the realm.
Each realm has a built-in client called realm-management. This client defines client-level roles that specify permissions that can be granted to manage the realm.
You can find more on available roles from Keycloak docs
Once you remove impersonation client-level role for your realm , it is not available for all users of the realm.