Reputation: 248
Exclusion feature in keycloak IDM
I am trying to develop an web application using angular 4, java ee and wildfly. I am planning on using keycloak as IDM. I researched and found that we can provide roles to user but what I couldn't find is if it provides the feature to exclude some privilege from admin role.
For example: I want to provide user with admin role all the privileges except one, so I want to exclude the privilege from that admin.
Is it possible using keycloak? If not, can anyone suggest any other IDM matching this requirement?
Upvotes: 0
Views: 263
Answers (1)
Reputation: 3721
No, you cannot change the privileges of admin role. Yes, you can use Keycloak.
From http://www.keycloak.org/docs/latest/server_admin/topics/admin-console-permissions/fine-grain.html
Fine grain permissions are used to grant additional permissions. You cannot override the default behavior of the built in admin roles.
I think you still can achieve want you want with Keycloak's flexible administrative role and permission management. Just not exactly in the way you think it should be done.
Don't give your administration user the role admin, but some of the more restrictive roles of client realm-management (e.g. view-realm, manage-users).
Upvotes: 1
Related Questions
- Keycloak Wildfly auth method
- Keycloak: How to login only through identity provider
- How can I restrict client access to only one group of users in keycloak?
- Exclude a user with realm-management role from keycloak's password policy
- Keycloak only allow specific scopes
- Keycloak flow to allow only authorized IDP accounts
- How to disable the SSO feature in the Keycloak
- Keycloak Unknown authentication mechanism
- Keycloak provider and user storage
- does keycloak wildfly adapter care for "Issued At" Claim