KeyCloak在启用“管理用户"的同时将用户管理限制为某些组 [英] KeyCloak restricting user management to certain groups while enabling 'manage-users'
问题描述
我正在使用KeyCloak管理控制台制定以下用例.
Using the KeyCloak admin console, I am attempting to enact the following use-case.
我们有X组和Y组.
"Group X Admin"角色可以执行以下操作:
The role 'Group X Admin' can do the following:
- 可以创建没有组的用户.
- 可以将没有组的用户分配给组X.
- 可以编辑和管理X组中的用户.
- 无法查看/编辑/管理Y组中的用户.
为了实现第1种情况,我必须使"Group X Admin"成为与领域管理客户端中的"manager-users"角色相关联的复合角色. 但是,执行此操作后,"X组管理员"现在有权查看/管理/编辑Y组用户.
It seems that in order to fulfill case 1, I must make 'Group X Admin' a composite role linked to the 'manage-users' role from the realm-management client. However, upon doing this, the 'Group X Admin' now has permission to view/manage/edit group Y users.
似乎我不能限制对Y组的访问,因为细粒度的权限似乎已被Manage-users角色完全覆盖.
It seems I cannot restrict access to group Y as fine-grained permissions seem to completely overridden by the manage-users role.
是否有一种方法可以在限制对某些组的访问的同时授予添加用户"权限?
Is there a way to grant permissions to Add Users while restricting access to certain groups?
推荐答案
You should have a look at Fine Grain Admin Permissions. It's still in preview (so no support from RedHat) but it's the kind of functionality you are looking for.
I certainly have tested a setup that would fulfill items 3 and 4. The description in chapter 11.3.2 Restrict User Role Mapping should get you sufficiently close to item 2. Item 1 probably needs somewhat more investigation. I can't tell you if it's doable.
尽管精细谷物管理权限非常强大,但我们得出的结论是,这不足以满足我们的要求.因此,我们将其丢弃,并采用了另一种解决方案(Keycloak前面的特权服务,用于委派用户管理).
Even though Fine Grain Admin Permission is quite powerful, we came to the conclusion that it's not sufficient for our requirements. So we discarded it and went with a different solution (a privileged service in front of Keycloak for delegated user administration).
更新
一些说明如何设置它:
- 启用预览配置文件(在Keycloak启动脚本中)
- 启用对客户端 Realm-management 的权限(客户端/Realm-Management/Permissions/Permissions Enabled)
- 创建一个组 x个用户
- 创建一个组 x-admins
- 启用对组 x-users 的权限(组/X/权限/启用的权限)
- 点击视图成员(在同一页面上)并添加一个组策略:
- 范围:查看成员
- 应用策略:创建策略.../组
- 输入名称,例如x-admin-policy
- 输入描述
- 组:选择组 x-admins
- 保存
- 重复管理成员
- Enable preview profile (in Keycloak startup script)
- Enable permissions on client Realm-management (Clients / Realm-Management / Permissions / Permissions Enabled)
- Create a group x-users
- Create a group x-admins
- Enable permissions on group x-users (Groups / X / Permissions / Permissions Enabled)
- Click view-members (on the same page) and add a group policy:
- Scopes: view-members
- Apply Policy: Create Policy... / Group
- Enter name, e.g. x-admin-policy
- Enter description
- Groups: select group x-admins
- Save
- Repeat for manage-members
这篇关于KeyCloak在启用“管理用户"的同时将用户管理限制为某些组的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!