search

p2-inc / keycloak-orgs

Single realm, multi-tenancy for SaaS apps
Other
362 stars 65 forks source link

Question about organization permissions #114

Closed jaakkom closed 11 months ago

jaakkom commented 11 months ago

Hello, Looks like user needs "realm-admin" to make organization extension settings visible in admin ui.

I think query-organizations and manage-organizations should be enough?

Realm-admin gives permission to about everything.

Is that expected behavior or BUG?

xgp commented 11 months ago

@jaakkom That's currently the behavior.

I don't recommend that anyone use the Keycloak Admin UI for anything other than super-admin use cases, as there have been lots of problems historically, and "fine grained admin permissions" never really got fully built out.

If you want to PR the change in order to make , I would suggest requiring the following realm-management roles:

query-organizations
manage-organizations
view-identity-providers
manage-identity-providers
view-users
query-users

as those all get used to render the "Organizations" tab properly.

For use cases where you want your users who are members of organizations to be able to self-manage organization, we created an "organization portal" application. https://github.com/p2-inc/phasetwo-admin-portal . It's bundled in our docker image, or you can build and deploy it from that repo.