Keycloak Access Roles - Global and Country Level
- Rodolfo Melia
- Víctor Enrique Mendoza Yanes
- Maybelline Portillo
Roles that can be assigned to a user (Global and Realm-level)
Keycloak permissions | Description | Realm country support | Realm country admin | Global admin |
|---|---|---|---|---|
| Who? --> | 2-4 local support staff | 1 or 2 local system admin
Ex SWZ case J. Chang | D. Castelao S. Letting |
admin | System superusers, have access to manage any realms on the server (has to be assigned on the master realm). |
|
| X |
realm-admin | Total access to the realm, cannot manage other realms. |
|
| X |
query-realm | Show option ‘Realm settings’ in the main menu. | X | X | X |
view-realm | Grant read-only access to the realm settings. | X | X | X |
manage-realm | Grant editing access to the realm settings. |
| X | X |
query-users | Show option ‘Users’ in the main menu. | X | X | X |
view-users | Grant read-only access to the realm users. | X | X | X |
manage-users | Grant editing access to the realm users and groups. | X | X | X |
query-groups | Show option ‘Groups’ in the main menu. | X | X | X |
query-clients | Show option ‘Clients’ and option ‘Client Scopes’ in the main menu. | X | X | X |
view-clients | Grant read-only access to the realm clients. | X | X | X |
create-client | Allow the creation of new clients in the realm. |
| X | X |
manage-clients | Grant editing access to the realm clients |
| X | X |
view-events | Show option ‘Events’ in the main menu and grant read-only access to the realm events. | X | X | X |
manage-events | Grant editing access to the realm events. (Although events cannot be modified, not exactly sure what this role does) |
| X | X |
view-identity-providers | Show option ‘Identity providers’ in the main menu and grant read-only access to them. | X | X | X |
manage-identity-providers | Grant editing access to the ream identity providers. |
|
| X |
impersonation | Grant the possibility to impersonate other user. You will log out from Keycloak and automatically log in as the user being impersonated. (Mainly used by administrators to troubleshoot users' issues) |
|
| X |
view-authorization | Show option ‘Authorization’ in the clients menu. |
| X | X |
manage-authorization | Grant editing access to a client authorization settings. |
|
| X |
Read more: https://www.keycloak.org/docs/22.0.1/server_admin/#_admin_permissions
How to assign roles to a user
In the Keycloak administration console, go to the Users menu and click on the user you want to give permissions.
Search for the tab ‘Role mapping’ and click on ‘Assign role’
Click on the filter dropdown and select ‘Filter by clients’
There you will find all the roles listed in the above table. Make sure you select the roles that belong to the default client ‘realm-management’.
To access the realm administration console, replace in the following URL <realm-name> with the name of the realm in which the user resides. After the user successfully logs in, he will see the new permissions.
https://keycloak.psi-mis.org/admin/<realm-name>/console/