Limit available groups for specific user in keycloak

Question

Is it possible to limit the available groups that a user with the manage-membership permission can assign to other users?

The scenario:

I have a keycloak instance with one sub-realm. There are multiple groups (companies) that are allowed to open the security-admin-console for this realm. I have 3 additional groups: admin, poweruser, user. I want powerusers to be able to create new users and assign them -> only <- to the group (company) they themselves belong to. With the manage-membership permission they are able to assign new users to all groups, even the admin group.

Is such a restriction possible or do I have to change my underlying concept?

Thanks Marc

Answer 1

It seems you're trying to set up a Multi-Tenancy solution only using a single realm. I would not advise trying to use this approach.

I have configured RedHatSSO (which is the paid version of KeyCloak) for multiple customers by using the following approach: Two realms per customer (company).

CompanyA_admin and CompanyA_user.

Groups can be configured to have admin privileges over other Realms. By using this approach, you can give admin privileges over the customer realm to users of the CompanyA_admin Realm, and normal users can be added to the CompanyA_user Realm with basic read-only access.

By doing this, your powerusers will have admin privileges but only over the Realms you have configured.

I believe the reason for the incorporation of "Realms" was to allow for your specific use case, and the logical separation of groups, or in your case, companies.