2014-03-06 13:33:53 +00:00
<chapter id= "admin-permissions" >
2014-05-28 13:31:33 +00:00
<title > Master Admin Access Control</title>
2014-03-06 13:33:53 +00:00
<para >
2014-05-28 13:31:33 +00:00
You can create and manage multiple realms by logging into the <literal > master</literal> Keycloak admin console
at <literal > /{keycloak-root/admin/index.html</literal>
</para>
<para >
Users in the Keycloak <literal > master</literal> realm can be granted permission to manage zero or more realms that are
deployed on the Keycloak server. When a realm is created, Keycloak automatically creates various roles that grant fine-grain
permissions to access that new realm.
Access to The Admin Console and REST endpoints can be controlled by mapping these roles to users in the <literal > master</literal> realm.
2014-03-06 13:33:53 +00:00
It's possible to create multiple super users as well as users that have only access to certain operations in specific realms.
</para>
<section >
<title > Global Roles</title>
<para >
2014-05-28 13:31:33 +00:00
There are two realm roles in the <literal > master</literal> realm. These are:
2014-03-06 13:33:53 +00:00
<itemizedlist >
<listitem >
<literal > admin</literal> - This is the super-user role and grants permissions to all operations on all realms
</listitem>
<listitem >
<literal > create-realm</literal> - This grants the user permission to create new realms. A user that creates a realm is granted all permissions to the newly created realm.
</listitem>
</itemizedlist>
</para>
<para >
2014-05-28 13:31:33 +00:00
To add these roles to a user select the <literal > master</literal> realm, then click on <literal > Users</literal> .
2014-03-06 13:33:53 +00:00
Find the user you want to grant permissions to, open the user and click on <literal > Role Mappings</literal> . Under
<literal > Realm Roles</literal> assign any of the above roles to the user by selecting it and clicking on the right-arrow.
</para>
</section>
<section >
<title > Realm Specific Roles</title>
<para >
2014-05-28 13:31:33 +00:00
Each realm in Keycloak is represented by an application in the <literal > master</literal> realm. The name of the application
2014-03-06 13:33:53 +00:00
is <literal > < realm name> -realm</literal> . This allows assigning access to users for individual realms. The
roles available are:
<itemizedlist >
<listitem >
<literal > view-realm</literal> - View the realm configuration
</listitem>
<listitem >
<literal > view-users</literal> - View users (including details for specific user) in the realm
</listitem>
<listitem >
<literal > view-applications</literal> - View applications in the realm
</listitem>
<listitem >
<literal > view-clients</literal> - View clients in the realm
</listitem>
<listitem >
<literal > manage-realm</literal> - Modify the realm configuration (and delete the realm)
</listitem>
<listitem >
<literal > manage-users</literal> - Create, modify and delete users in the realm
</listitem>
<listitem >
<literal > manage-applications</literal> - Create, modify and delete applications in the realm
</listitem>
<listitem >
<literal > manage-clients</literal> - Create, modify and delete clients in the realm
</listitem>
</itemizedlist>
Manage roles includes permissions to view (for example a user with manage-realm role can also view the realm configuration).
</para>
<para >
2014-05-28 13:31:33 +00:00
To add these roles to a user select the <literal > master</literal> realm, then click on <literal > Users</literal> .
2014-03-06 13:33:53 +00:00
Find the user you want to grant permissions to, open the user and click on <literal > Role Mappings</literal> . Under
<literal > Application Roles</literal> select the application that represents the realm you're adding permissions to
(<literal > < realm name> -realm</literal> ), then assign any of the above roles to the user by selecting it and clicking on the right-arrow.
</para>
</section>
2014-05-28 13:31:33 +00:00
</chapter>
