Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-14322

Username not editable without having the “view-realm” role

    Details

    • Sprint:
      Keycloak Sprint 41, Keycloak Sprint 42, Keycloak Sprint 43
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      In the admin console the username field is never enabled for editing unless the editing user has the “view-realm” role.

      Actual behavior:
      Given a realm “test”
      and the realm's “Edit username” option enabled
      and a user “bob” with these realm-management roles: manage-users, query-groups, query-users, view-users
      when bob opens the “Details” tab for any account in the realm's admin console
      then the “Username” field is disabled.

      Expected behavior: The “Username” field is enabled.

      Known work-around: Grant the realm-management/view-realm role to bob.

      But this work-around has the unwanted side effect of the admin console showing additional menu items (Realm Settings, Roles, User Federation, Authentication, Sessions) which are confusing for bob (because he is a user helpdesk guy knowing nothing about realms, OIDC, user federation etc).

      Whether or not the field is editable is controlled by this expression (users.js, l. 391): $scope.editUsername = $scope.create || $scope.realm.editUsernameAllowed; But $scope.realm.editUsernameAllowed is always undefined if the editing user does not have the view-realm role.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  devopsix Dirk Weinhardt
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated: