rhafer
commented
1 month ago Hm, this one is somewhat tricky. The keycloak example is using auto provisioning (PROXY_AUTOPROVISION_ACCOUNTS). Autoprovisioning creates users using the graph API (using the service account) so it requires write access to the LDAP server, hence GRAPH_LDAP_SERVER_WRITE_ENABLED cannot be set to false. That however implies that all user with the "Accounts Management" Permission are allowed to create, edit and update users and groups.
It is currently possible to disable certain user management options in the WebUI by setting FRONTEND_READONLY_USER_ATTRIBUTES but that will still not prevent any operations on the graph API directly, neither is it possible to prevent group management using that.
Also there are certain scenarios where it might be needed to manage group membership via ocis while users are auto provisioned. After all the group autoprovisioning was only introduced pretty recently and IDPs might not even expose group information at all.
Before we start adding more and more config options for all those different scenarios we should probably take a step back and define how much of this we actually want to support.
Maybe it would also be enough to have an additional role in the settings service that is basically an admin without the "account management" permission. Unfortunately that would also forbid the admin to list users currently, Since we don't have separate permissions for read and write.
@micbar @tbsbdr I think this requires some refinement to clarify what we actually want/need.
Using example deployemnt of
ocis_keycloakfrom https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_keycloak, new group can be created from the ocis webUI.Expectation
new group should not be created from oCIS webUI but only from keycloak dashboard
Related issue
CC @rhafer @mmattel