Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Admin2: Fine Grained permissions/policies are ignored

See original GitHub issue

Describe the bug

I’ve recently migrated from 16.x to 19.0.1 using the legacy wildly non-quarkus distribution provided using the legacy keycloak operator. It seems that our fined grained permissions are no longer applicable when using the default admin2 web UI, as users can now list users in a group but not view their settings. screenshot Of course adding the view-users client role is way too permissive and not acceptable. Since no backend request is being made (no XHR) and of course clearing all cookies, local and session storage the issue remains. The only workaround I have found is simply to disable admin2 UI (too bad, it seemed snappy)

Version

19.0.1

Expected behavior

I expect the UI to provide the same functionality as the old UI, allowing users to manage with the view-members group permission and corresponding policy to be able to view user info.

Actual behavior

See attached screenshot

How to Reproduce?

Activate fine grained authorization
Create a group policy
Create a group permission to the group resource with scopes view, manage-members, manage-membership and view-members with the corresponding policy and make it unicamous.
Test that a user with the appropriate role and permission can view members using the old UI
Verify that using the new UI it doesn’t work anymore

Anything else?

No response

Issue Analytics

State:
Created a year ago
Comments:8 (5 by maintainers)

Top GitHub Comments

1reaction

tkautenburgercommented, Aug 18, 2022

@tkautenburger Thanks for the feedback.

That sounds like a separate issue. Can you create a new issue for it here? https://github.com/keycloak/keycloak-ui/issues

Please leave detail on roles and fine-grained permissions of the user and the difference in behavior between the old and new console.

Created new issue here: #3141

0reactions

neuromantik33commented, Aug 16, 2022

@ssilvert Sorry for the delay (holiday weekend here in France)… I’ll try to test within the week… However as @tkautenburger pointed out, our multitenancy uses groups and fine-grained authz and if our users are unable to create users but just assign them roles, the new reactive UI will be a showstopper for that as well. But I’ll try to deploy your fix (I still need to build keycloak and package it as a dockerfile since we’re using the operator) and validate your PR. Thanks!

Top Results From Across the Web

Fine-grained access control in Amazon OpenSearch Service

Cluster-level permissions include the ability to make broad requests such as _mget , _msearch , and _bulk , monitor health, take snapshots, and...

Fine Grained IAM Roles for OpenShift Applications

Then click Next: Permissions. In the Attach Permission Policies page, select the policy that was previously created and then select Next: Tags.

Fine grained permissions - The Trac Project - Edgewall Software

There is a general mechanism in place that allows custom permission policies to grant or deny any action on any Trac resource, ...

Permissions - JFrog Xray - JFrog Wiki

From version 1.9, JFrog Xray offers a flexible permissions model that gives an administrator fine-grained control over how users and groups ...

Introduction to column-level access control | BigQuery

BigQuery provides fine-grained access to sensitive columns using policy tags, ... A user needs both dataset permission and policy tag permission in order...