Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-9177

Accessing realm admin console in 4.7.0 requires view-realm role

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Done
    • 4.7.0.Final
    • None
    • Admin - Console
    • None
    • Hide
      1. Create an admin user and give it the 'manage-users', 'query-groups', 'query-users', and 'view-users' realm-management roles
      2. Try to access the admin console with this user
      3. Actual: Observe that a 403 forbidden error occurred
      4. Expected: Users see the "Manage > Groups" and "Manage > Users" tabs
      Show
      Create an admin user and give it the 'manage-users', 'query-groups', 'query-users', and 'view-users' realm-management roles Try to access the admin console with this user Actual: Observe that a 403 forbidden error occurred Expected: Users see the "Manage > Groups" and "Manage > Users" tabs
    • NEW
    • NEW

    Description

      We've recently upgraded from 4.5.0 to 4.7.0 and users can no longer access the dedicated realm admin console (/auth/admin/{realm}/console) with the same realm-management roles that they had previously. Our admin users should only be able to manage users and groups so that only the "Manage > Groups" and "Manage > Users" tab show up in the realm admin console. Previously in 4.5.0 they had the 'manage-users', 'query-groups', 'query-users', and 'view-users' roles in order to make this happen.

      However, with the new upgrade in 4.7.0, admins are now seeing a 403 forbidden error when trying to access the admin console. We found that by adding the 'view-realm' role, users are then able to access the admin console but this enables too many permissions for the admin users that we do not wish to enable such as configuring the Realm Settings, Roles, User Federation, and Authentication.

      Looking at past issues in this Jira, perhaps this is a similar problem that is now broken again? https://issues.jboss.org/browse/KEYCLOAK-4328

      Attachments

        Issue Links

          Activity

            People

              psilva@redhat.com Pedro Igor Craveiro
              mandyfung Mandy Fung (Inactive)
              Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: