Investigate fine-grained authorisation model for group managers

[NicolasLiampotis]

It should be possible to assign the group manager role to one or more users for a specific group hierarchy under a realm

See also https://www.keycloak.org/docs/latest/authorization_services/

[cgeorgilakis]

Fine Grain Admin Permissions is disabled by default. I have enabled it in cappakleis1. With Fine Grain Admin Permissions, you can permit a user to manage specific group/manage specific group memberships. However, ui is not well constructed. In order to manage group, I must copy paste view group page ( I can not open it from group pager). For managing group memberships is more difficult due to the fact that add/remove user from group is done from User meny ( Group Tabs). I did not know how to manage specific group memberships.

[cgeorgilakis]

Keycloak documentation (Technology Preview - not included by default ) : https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions.

Keycloak documentation has an example for editing Clients User specific permissions. They suggest giving the role query-clients to this User in order to being able to search and find the Client he is able to update. Query-users and query-groups role exists also. We can use them. The problem is that for giving a User the permission to manage specific groups we need also to give him the role view-users in order to being able to view the Groups tab in specific User. From this tab is the only way to add/remove user from a group. @NicolasLiampotis this is a good reason to support the ability to add users from Members tab of group. We need to investigate new admin conole in Keycloak vanilla 16.0.0. .

Keycloak fine-grained list of permissions include :

• manage-members => Policies that decide if the admin can manage the users that belong to this group.
• manage-membership => Policies that decide if an admin can change the membership of the group. Add or remove members from the group.

[cgeorgilakis]

I have tested it with Keycloak vanilla 16.1.0. Unfortunately, managing group members per group admin is not working. I have added previous comment configuration for test it. Their example and editing group is working. Maybe, we can add a discussion to dev list or/and open a bug for this.