36 lines
1.6 KiB
Text
36 lines
1.6 KiB
Text
|
[[_per_realm_admin_permissions]]
|
||
|
|
||
|
= Per Realm Admin Access Control
|
||
|
|
||
|
Administering your realm through the `master` realm as discussed in <<_admin_permissions>> may not always be ideal or feasible.
|
||
|
For example, maybe you have more than one admin application that manages various admin aspects of your organization and you want to unify all these different "admin consoles" under one realm so you can do SSO between them.
|
||
|
Keycloak allows you to grant realm admin privileges to users within that realm.
|
||
|
These realm admins can participate in SSO for that realm and visit a keycloak admin console instance that is dedicated solely for that realm by going to the url: `/{keycloak-root}/admin/{realm}/console`
|
||
|
|
||
|
== Realm Roles
|
||
|
|
||
|
Each realm has a built-in application called `realm-management`.
|
||
|
This application defines roles that define permissions that can be granted to manage the realm.
|
||
|
These are more fine-grain roles you can assign to the user.
|
||
|
|
||
|
* realm-admin
|
||
|
* view-realm
|
||
|
* view-users
|
||
|
* view-applications
|
||
|
* view-clients
|
||
|
* view-events
|
||
|
* manage-realm
|
||
|
* manage-users
|
||
|
* manage-applications
|
||
|
* manage-clients
|
||
|
* manage-events
|
||
|
|
||
|
Manage roles includes permissions to view (for example a user with manage-realm role can also view the realm configuration).
|
||
|
|
||
|
To add these roles to a user,
|
||
|
|
||
|
. Select the realm you want.
|
||
|
. Then click on `Users`.
|
||
|
. Find the user you want to grant permissions to, open the user and click on `Role Mappings`.
|
||
|
. Under `Application Roles` select `realm-management`, then assign any of the above roles to the user by selecting it and clicking on the right-arrow.
|