KeyCloak在启用“管理用户"的同时将用户管理限制为某些组 [英] KeyCloak restricting user management to certain groups while enabling 'manage-users'

问题描述

我正在使用KeyCloak管理控制台制定以下用例.

Using the KeyCloak admin console, I am attempting to enact the following use-case.

我们有X组和Y组.

"Group X Admin"角色可以执行以下操作:

The role 'Group X Admin' can do the following:

1. 可以创建没有组的用户.
2. 可以将没有组的用户分配给组X.
3. 可以编辑和管理X组中的用户.
4. 无法查看/编辑/管理Y组中的用户.

为了实现第1种情况，我必须使"Group X Admin"成为与领域管理客户端中的"manager-users"角色相关联的复合角色. 但是，执行此操作后，"X组管理员"现在有权查看/管理/编辑Y组用户.

It seems that in order to fulfill case 1, I must make 'Group X Admin' a composite role linked to the 'manage-users' role from the realm-management client. However, upon doing this, the 'Group X Admin' now has permission to view/manage/edit group Y users.

似乎我不能限制对Y组的访问，因为细粒度的权限似乎已被Manage-users角色完全覆盖.

It seems I cannot restrict access to group Y as fine-grained permissions seem to completely overridden by the manage-users role.

是否有一种方法可以在限制对某些组的访问的同时授予添加用户"权限?

Is there a way to grant permissions to Add Users while restricting access to certain groups?

推荐答案

您应该看看

You should have a look at Fine Grain Admin Permissions. It's still in preview (so no support from RedHat) but it's the kind of functionality you are looking for.

我当然已经测试了可以满足项目3和4的设置.

I certainly have tested a setup that would fulfill items 3 and 4. The description in chapter 11.3.2 Restrict User Role Mapping should get you sufficiently close to item 2. Item 1 probably needs somewhat more investigation. I can't tell you if it's doable.

尽管精细谷物管理权限非常强大，但我们得出的结论是，这不足以满足我们的要求.因此，我们将其丢弃，并采用了另一种解决方案(Keycloak前面的特权服务，用于委派用户管理).

Even though Fine Grain Admin Permission is quite powerful, we came to the conclusion that it's not sufficient for our requirements. So we discarded it and went with a different solution (a privileged service in front of Keycloak for delegated user administration).

更新

一些说明如何设置它:

• 启用预览配置文件(在Keycloak启动脚本中)
• 启用对客户端 Realm-management 的权限(客户端/Realm-Management/Permissions/Permissions Enabled)
• 创建一个组 x个用户
• 创建一个组 x-admins
• 启用对组 x-users 的权限(组/X/权限/启用的权限)
• 点击视图成员(在同一页面上)并添加一个组策略:
  • 范围:查看成员
  • 应用策略:创建策略.../组
  • 输入名称，例如x-admin-policy
  • 输入描述
  • 组:选择组 x-admins
  • 保存
  • 重复管理成员
  • Enable preview profile (in Keycloak startup script)
  • Enable permissions on client Realm-management (Clients / Realm-Management / Permissions / Permissions Enabled)
  • Create a group x-users
  • Create a group x-admins
  • Enable permissions on group x-users (Groups / X / Permissions / Permissions Enabled)
  • Click view-members (on the same page) and add a group policy:
    • Scopes: view-members
    • Apply Policy: Create Policy... / Group
    • Enter name, e.g. x-admin-policy
    • Enter description
    • Groups: select group x-admins
    • Save
    • Repeat for manage-members

    这篇关于KeyCloak在启用“管理用户"的同时将用户管理限制为某些组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！