Users
Allows you to manage fine-grained permissions for all users in a realm: https://www.keycloak.org/docs/latest/server_admin/#_users-permissions This is part of a preview Keycloak feature: admin_fine_grained_authz (see https://www.keycloak.org/docs/latest/server_admin/#_fine_grain_permissions). This feature can be enabled with the Keycloak option -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled. See the example docker-compose.yml file for an example. When enabling fine-grained permissions for users, Keycloak does several things automatically:
Enable Authorization on built-in
realm-managementclient (if not already enabled).Create a resource representing the users permissions.
Create scopes
view,manage,map-roles,manage-group-membership,impersonate, anduser-impersonated.Create all scope based permission for the scopes and users resources.
This resource should only be created once per realm.
Example Usage
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
# enable permissions for realm-management client
realmManagementPermission:
type: keycloak:openid:ClientPermissions
name: realm_management_permission
properties:
realmId: ${realm.id}
clientId: ${realmManagement.id}
enabled: true
# creating a user to use with the keycloak_openid_client_user_policy resource
test:
type: keycloak:User
properties:
realmId: ${realm.id}
username: test-user
email: test-user@fakedomain.com
firstName: Testy
lastName: Tester
testClientUserPolicy:
type: keycloak:openid:ClientUserPolicy
name: test
properties:
realmId: ${realm.id}
resourceServerId: ${realmManagement.id}
name: client_user_policy_test
users:
- ${test.id}
logic: POSITIVE
decisionStrategy: UNANIMOUS
options:
dependson:
- ${realmManagementPermission}
usersPermissions:
type: keycloak:UsersPermissions
name: users_permissions
properties:
realmId: ${realm.id}
viewScope:
policies:
- ${testClientUserPolicy.id}
description: description
decisionStrategy: UNANIMOUS
manageScope:
policies:
- ${testClientUserPolicy.id}
description: description
decisionStrategy: UNANIMOUS
mapRolesScope:
policies:
- ${testClientUserPolicy.id}
description: description
decisionStrategy: UNANIMOUS
manageGroupMembershipScope:
policies:
- ${testClientUserPolicy.id}
description: description
decisionStrategy: UNANIMOUS
impersonateScope:
policies:
- ${testClientUserPolicy.id}
description: description
decisionStrategy: UNANIMOUS
userImpersonatedScope:
policies:
- ${testClientUserPolicy.id}
description: description
decisionStrategy: UNANIMOUS
variables:
realmManagement:
fn::invoke:
Function: keycloak:openid:getClient
Arguments:
realmId: ${realm.id}
clientId: realm-managementArgument Reference
The following arguments are supported:
realm_id- (Required) The realm in which to manage fine-grained user permissions. Each of the scopes that can be managed are defined below:view_scope- (Optional) When specified, set the scope based view permission.manage_scope- (Optional) When specified, set the scope based manage permission.map_roles_scope- (Optional) When specified, set the scope based map_roles permission.manage_group_membership_scope- (Optional) When specified, set the scope based manage_group_membership permission.impersonate_scope- (Optional) When specified, set the scope based impersonate permission.user_impersonated_scope- (Optional) When specified, set the scope based user_impersonated permission. The configuration block for each of these scopes supports the following arguments:policies- (Optional) Assigned policies to the permission. Each element within this list should be a policy ID.description- (Optional) Description of the permission.decision_strategy- (Optional) Decision strategy of the permission.
Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
enabled- When true, this indicates that fine-grained user permissions are enabled. This will always betrue.authorization_resource_server_id- Resource server id representing the realm management client on which these permissions are managed.