Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-1265

Ability to query all Users in a Role including composite Roles and Groups

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      The Admin CLI tool or REST API can let the admin lookup for the users in a specific ROLE, for example:

      ./kcadm.sh get clients/\{clientid}/roles/\{role_name}/users -r <REALM>
      

      or with rest api:

      /admin/realms/\{realm}/clients/\{clientid}/roles/\{role_name}/users
      

       

      This shows the users directly in that role "{role_name}", but since a Role can be composite and be associated with groups, a user can be in a Role implicitly by being in a Group or composite Role.

      For example, it would be nice to have some additional parameters such as "composites", which is "false" by default

      /admin/realms/{realm}(/client/{clientId})/roles/{rolename}/users?composites=true
      

       
      So now with this, every user who belongs to `{rolename}` directly or indirectly ( through a composite role or because the user may belong to a group hierarchy which at some level has this role) will appear in the result of the api.

      This is more relevant because in an environment with complex roles/groups, users rarely have roles directly assigned to them. The roles are usually assigned through groups hierarchy or other parent roles.

      For the sake of auditing in companies with large numbers of users and roles, it becomes very important to be able to see all the users who are not only immediate members of roles or groups, but also are effective members in a role or group by membership in another role or group.

       

              rhn-support-igueye Issa Gueye
              rhn-support-igueye Issa Gueye
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: