pulumi-keycloak-kotlin/com.pulumi.keycloak.kotlin/UsersPermissionsArgs

UsersPermissionsArgs

data class UsersPermissionsArgs(val impersonateScope: Output<UsersPermissionsImpersonateScopeArgs>? = null, val manageGroupMembershipScope: Output<UsersPermissionsManageGroupMembershipScopeArgs>? = null, val manageScope: Output<UsersPermissionsManageScopeArgs>? = null, val mapRolesScope: Output<UsersPermissionsMapRolesScopeArgs>? = null, val realmId: Output<String>? = null, val userImpersonatedScope: Output<UsersPermissionsUserImpersonatedScopeArgs>? = null, val viewScope: Output<UsersPermissionsViewScopeArgs>? = null) : ConvertibleToJava<UsersPermissionsArgs>

Allows you to manage fine-grained permissions for all users in a realm: https://www.keycloak.org/docs/latest/server_admin/#_users-permissions This is part of a preview Keycloak feature: admin_fine_grained_authz (see https://www.keycloak.org/docs/latest/server_admin/#_fine_grain_permissions). This feature can be enabled with the Keycloak option -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled. See the example docker-compose.yml file for an example. When enabling fine-grained permissions for users, Keycloak does several things automatically:

  1. Enable Authorization on built-in realm-management client (if not already enabled).

  2. Create a resource representing the users permissions.

  3. Create scopes view, manage, map-roles, manage-group-membership, impersonate, and user-impersonated.

  4. Create all scope based permission for the scopes and users resources.

This resource should only be created once per realm.

Example Usage

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.openid.OpenidFunctions;
import com.pulumi.keycloak.openid.inputs.GetClientArgs;
import com.pulumi.keycloak.openid.ClientPermissions;
import com.pulumi.keycloak.openid.ClientPermissionsArgs;
import com.pulumi.keycloak.User;
import com.pulumi.keycloak.UserArgs;
import com.pulumi.keycloak.openid.ClientUserPolicy;
import com.pulumi.keycloak.openid.ClientUserPolicyArgs;
import com.pulumi.keycloak.UsersPermissions;
import com.pulumi.keycloak.UsersPermissionsArgs;
import com.pulumi.keycloak.inputs.UsersPermissionsViewScopeArgs;
import com.pulumi.keycloak.inputs.UsersPermissionsManageScopeArgs;
import com.pulumi.keycloak.inputs.UsersPermissionsMapRolesScopeArgs;
import com.pulumi.keycloak.inputs.UsersPermissionsManageGroupMembershipScopeArgs;
import com.pulumi.keycloak.inputs.UsersPermissionsImpersonateScopeArgs;
import com.pulumi.keycloak.inputs.UsersPermissionsUserImpersonatedScopeArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .build());
        final var realmManagement = OpenidFunctions.getClient(GetClientArgs.builder()
            .realmId(realm.id())
            .clientId("realm-management")
            .build());
        // enable permissions for realm-management client
        var realmManagementPermission = new ClientPermissions("realmManagementPermission", ClientPermissionsArgs.builder()
            .realmId(realm.id())
            .clientId(realmManagement.applyValue(getClientResult -> getClientResult).applyValue(realmManagement -> realmManagement.applyValue(getClientResult -> getClientResult.id())))
            .enabled(true)
            .build());
        // creating a user to use with the keycloak_openid_client_user_policy resource
        var test = new User("test", UserArgs.builder()
            .realmId(realm.id())
            .username("test-user")
            .email("test-user@fakedomain.com")
            .firstName("Testy")
            .lastName("Tester")
            .build());
        var testClientUserPolicy = new ClientUserPolicy("testClientUserPolicy", ClientUserPolicyArgs.builder()
            .realmId(realm.id())
            .resourceServerId(realmManagement.applyValue(getClientResult -> getClientResult).applyValue(realmManagement -> realmManagement.applyValue(getClientResult -> getClientResult.id())))
            .name("client_user_policy_test")
            .users(test.id())
            .logic("POSITIVE")
            .decisionStrategy("UNANIMOUS")
            .build(), CustomResourceOptions.builder()
                .dependsOn(realmManagementPermission)
                .build());
        var usersPermissions = new UsersPermissions("usersPermissions", UsersPermissionsArgs.builder()
            .realmId(realm.id())
            .viewScope(UsersPermissionsViewScopeArgs.builder()
                .policies(testClientUserPolicy.id())
                .description("description")
                .decisionStrategy("UNANIMOUS")
                .build())
            .manageScope(UsersPermissionsManageScopeArgs.builder()
                .policies(testClientUserPolicy.id())
                .description("description")
                .decisionStrategy("UNANIMOUS")
                .build())
            .mapRolesScope(UsersPermissionsMapRolesScopeArgs.builder()
                .policies(testClientUserPolicy.id())
                .description("description")
                .decisionStrategy("UNANIMOUS")
                .build())
            .manageGroupMembershipScope(UsersPermissionsManageGroupMembershipScopeArgs.builder()
                .policies(testClientUserPolicy.id())
                .description("description")
                .decisionStrategy("UNANIMOUS")
                .build())
            .impersonateScope(UsersPermissionsImpersonateScopeArgs.builder()
                .policies(testClientUserPolicy.id())
                .description("description")
                .decisionStrategy("UNANIMOUS")
                .build())
            .userImpersonatedScope(UsersPermissionsUserImpersonatedScopeArgs.builder()
                .policies(testClientUserPolicy.id())
                .description("description")
                .decisionStrategy("UNANIMOUS")
                .build())
            .build());
    }
}
Content copied to clipboard
resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
  # enable permissions for realm-management client
  realmManagementPermission:
    type: keycloak:openid:ClientPermissions
    name: realm_management_permission
    properties:
      realmId: ${realm.id}
      clientId: ${realmManagement.id}
      enabled: true
  # creating a user to use with the keycloak_openid_client_user_policy resource
  test:
    type: keycloak:User
    properties:
      realmId: ${realm.id}
      username: test-user
      email: test-user@fakedomain.com
      firstName: Testy
      lastName: Tester
  testClientUserPolicy:
    type: keycloak:openid:ClientUserPolicy
    name: test
    properties:
      realmId: ${realm.id}
      resourceServerId: ${realmManagement.id}
      name: client_user_policy_test
      users:
        - ${test.id}
      logic: POSITIVE
      decisionStrategy: UNANIMOUS
    options:
      dependson:
        - ${realmManagementPermission}
  usersPermissions:
    type: keycloak:UsersPermissions
    name: users_permissions
    properties:
      realmId: ${realm.id}
      viewScope:
        policies:
          - ${testClientUserPolicy.id}
        description: description
        decisionStrategy: UNANIMOUS
      manageScope:
        policies:
          - ${testClientUserPolicy.id}
        description: description
        decisionStrategy: UNANIMOUS
      mapRolesScope:
        policies:
          - ${testClientUserPolicy.id}
        description: description
        decisionStrategy: UNANIMOUS
      manageGroupMembershipScope:
        policies:
          - ${testClientUserPolicy.id}
        description: description
        decisionStrategy: UNANIMOUS
      impersonateScope:
        policies:
          - ${testClientUserPolicy.id}
        description: description
        decisionStrategy: UNANIMOUS
      userImpersonatedScope:
        policies:
          - ${testClientUserPolicy.id}
        description: description
        decisionStrategy: UNANIMOUS
variables:
  realmManagement:
    fn::invoke:
      Function: keycloak:openid:getClient
      Arguments:
        realmId: ${realm.id}
        clientId: realm-management
Content copied to clipboard

Argument Reference

The following arguments are supported:

  • realm_id - (Required) The realm in which to manage fine-grained user permissions. Each of the scopes that can be managed are defined below:

  • view_scope - (Optional) When specified, set the scope based view permission.

  • manage_scope - (Optional) When specified, set the scope based manage permission.

  • map_roles_scope - (Optional) When specified, set the scope based map_roles permission.

  • manage_group_membership_scope - (Optional) When specified, set the scope based manage_group_membership permission.

  • impersonate_scope - (Optional) When specified, set the scope based impersonate permission.

  • user_impersonated_scope - (Optional) When specified, set the scope based user_impersonated permission. The configuration block for each of these scopes supports the following arguments:

  • policies - (Optional) Assigned policies to the permission. Each element within this list should be a policy ID.

  • description - (Optional) Description of the permission.

  • decision_strategy - (Optional) Decision strategy of the permission.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • enabled - When true, this indicates that fine-grained user permissions are enabled. This will always be true.

  • authorization_resource_server_id - Resource server id representing the realm management client on which these permissions are managed.

Constructors

Link copied to clipboard
constructor(impersonateScope: Output<UsersPermissionsImpersonateScopeArgs>? = null, manageGroupMembershipScope: Output<UsersPermissionsManageGroupMembershipScopeArgs>? = null, manageScope: Output<UsersPermissionsManageScopeArgs>? = null, mapRolesScope: Output<UsersPermissionsMapRolesScopeArgs>? = null, realmId: Output<String>? = null, userImpersonatedScope: Output<UsersPermissionsUserImpersonatedScopeArgs>? = null, viewScope: Output<UsersPermissionsViewScopeArgs>? = null)

Properties

Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val realmId: Output<String>? = null
Link copied to clipboard
Link copied to clipboard

Functions

Link copied to clipboard
open override fun toJava(): UsersPermissionsArgs