pulumi-keycloak-kotlin/com.pulumi.keycloak.kotlin/UsersPermissions

UsersPermissions

class UsersPermissions : KotlinCustomResource

Allows you to manage fine-grained permissions for all users in a realm: https://www.keycloak.org/docs/latest/server_admin/#_users-permissions This is part of a preview Keycloak feature: admin_fine_grained_authz (see https://www.keycloak.org/docs/latest/server_admin/#_fine_grain_permissions). This feature can be enabled with the Keycloak option -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled. See the example docker-compose.yml file for an example. When enabling fine-grained permissions for users, Keycloak does several things automatically:

  1. Enable Authorization on built-in realm-management client (if not already enabled).

  2. Create a resource representing the users permissions.

  3. Create scopes view, manage, map-roles, manage-group-membership, impersonate, and user-impersonated.

  4. Create all scope based permission for the scopes and users resources.

This resource should only be created once per realm.

Example Usage

resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
  # enable permissions for realm-management client
  realmManagementPermission:
    type: keycloak:openid:ClientPermissions
    name: realm_management_permission
    properties:
      realmId: ${realm.id}
      clientId: ${realmManagement.id}
      enabled: true
  # creating a user to use with the keycloak_openid_client_user_policy resource
  test:
    type: keycloak:User
    properties:
      realmId: ${realm.id}
      username: test-user
      email: test-user@fakedomain.com
      firstName: Testy
      lastName: Tester
  testClientUserPolicy:
    type: keycloak:openid:ClientUserPolicy
    name: test
    properties:
      realmId: ${realm.id}
      resourceServerId: ${realmManagement.id}
      name: client_user_policy_test
      users:
        - ${test.id}
      logic: POSITIVE
      decisionStrategy: UNANIMOUS
    options:
      dependsOn:
        - ${realmManagementPermission}
  usersPermissions:
    type: keycloak:UsersPermissions
    name: users_permissions
    properties:
      realmId: ${realm.id}
      viewScope:
        policies:
          - ${testClientUserPolicy.id}
        description: description
        decisionStrategy: UNANIMOUS
      manageScope:
        policies:
          - ${testClientUserPolicy.id}
        description: description
        decisionStrategy: UNANIMOUS
      mapRolesScope:
        policies:
          - ${testClientUserPolicy.id}
        description: description
        decisionStrategy: UNANIMOUS
      manageGroupMembershipScope:
        policies:
          - ${testClientUserPolicy.id}
        description: description
        decisionStrategy: UNANIMOUS
      impersonateScope:
        policies:
          - ${testClientUserPolicy.id}
        description: description
        decisionStrategy: UNANIMOUS
      userImpersonatedScope:
        policies:
          - ${testClientUserPolicy.id}
        description: description
        decisionStrategy: UNANIMOUS
variables:
  realmManagement:
    fn::invoke:
      function: keycloak:openid:getClient
      arguments:
        realmId: ${realm.id}
        clientId: realm-management
Content copied to clipboard

Argument Reference

The following arguments are supported:

  • realm_id - (Required) The realm in which to manage fine-grained user permissions. Each of the scopes that can be managed are defined below:

  • view_scope - (Optional) When specified, set the scope based view permission.

  • manage_scope - (Optional) When specified, set the scope based manage permission.

  • map_roles_scope - (Optional) When specified, set the scope based map_roles permission.

  • manage_group_membership_scope - (Optional) When specified, set the scope based manage_group_membership permission.

  • impersonate_scope - (Optional) When specified, set the scope based impersonate permission.

  • user_impersonated_scope - (Optional) When specified, set the scope based user_impersonated permission. The configuration block for each of these scopes supports the following arguments:

  • policies - (Optional) Assigned policies to the permission. Each element within this list should be a policy ID.

  • description - (Optional) Description of the permission.

  • decision_strategy - (Optional) Decision strategy of the permission.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • enabled - When true, this indicates that fine-grained user permissions are enabled. This will always be true.

  • authorization_resource_server_id - Resource server id representing the realm management client on which these permissions are managed.

Properties

Link copied to clipboard
val authorizationResourceServerId: Output<String>

Resource server id representing the realm management client on which this permission is managed

Link copied to clipboard
val enabled: Output<Boolean>
Link copied to clipboard
val id: Output<String>
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val pulumiChildResources: Set<KotlinResource>
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val realmId: Output<String>
Link copied to clipboard
val urn: Output<String>
Link copied to clipboard
Link copied to clipboard