60 lines
3.4 KiB
XML
60 lines
3.4 KiB
XML
|
<chapter id="per-realm-admin-permissions">
|
||
|
|
<title>Per Realm Admin Access Control</title>
|
||
|
|
<para>
|
||
|
|
Administering your realm through the <literal>master</literal> realm as discussed in <xref linkend="admin-permissions" /> may not always be
|
||
|
|
ideal or feasible. For example, maybe you have more than one admin application that manages various admin aspects of your organization
|
||
|
|
and you want to unify all these different "admin consoles" under one realm so you can do SSO between them. Keycloak allows you to
|
||
|
|
grant realm admin privleges to users within that realm. These realm admins can participate in SSO for that realm and
|
||
|
|
visit a keycloak admin console instance that is dedicated solely for that realm by going to the url:
|
||
|
|
<literal>/{keycloak-root}/admin/{realm}/console</literal>
|
||
|
|
</para>
|
||
|
|
<section>
|
||
|
|
<title>Realm Roles</title>
|
||
|
|
<para>
|
||
|
|
Each realm has a built-in application called <literal>realm-management</literal>. This application defines
|
||
|
|
roles that define permissions that can be granted to manage the realm.
|
||
|
|
<itemizedlist>
|
||
|
|
<listitem>
|
||
|
|
<literal>realm-admin</literal> - This is a composite role that grants all admin privileges for managing
|
||
|
|
security for that realm.
|
||
|
|
</listitem>
|
||
|
|
</itemizedlist>
|
||
|
|
These are more fine-grain roles you can assign to the user.
|
||
|
|
|
||
|
|
<itemizedlist>
|
||
|
|
<listitem>
|
||
|
|
<literal>view-realm</literal> - View the realm configuration
|
||
|
|
</listitem>
|
||
|
|
<listitem>
|
||
|
|
<literal>view-users</literal> - View users (including details for specific user) in the realm
|
||
|
|
</listitem>
|
||
|
|
<listitem>
|
||
|
|
<literal>view-applications</literal> - View applications in the realm
|
||
|
|
</listitem>
|
||
|
|
<listitem>
|
||
|
|
<literal>view-clients</literal> - View clients in the realm
|
||
|
|
</listitem>
|
||
|
|
|
||
|
|
<listitem>
|
||
|
|
<literal>manage-realm</literal> - Modify the realm configuration (and delete the realm)
|
||
|
|
</listitem>
|
||
|
|
<listitem>
|
||
|
|
<literal>manage-users</literal> - Create, modify and delete users in the realm
|
||
|
|
</listitem>
|
||
|
|
<listitem>
|
||
|
|
<literal>manage-applications</literal> - Create, modify and delete applications in the realm
|
||
|
|
</listitem>
|
||
|
|
<listitem>
|
||
|
|
<literal>manage-clients</literal> - Create, modify and delete clients in the realm
|
||
|
|
</listitem>
|
||
|
|
</itemizedlist>
|
||
|
|
Manage roles includes permissions to view (for example a user with manage-realm role can also view the realm configuration).
|
||
|
|
</para>
|
||
|
|
<para>
|
||
|
|
To add these roles to a user select the realm you want. Then click on <literal>Users</literal>.
|
||
|
|
Find the user you want to grant permissions to, open the user and click on <literal>Role Mappings</literal>. Under
|
||
|
|
<literal>Application Roles</literal> select <literal>realm-management</literal>, then assign any of the above roles to the user by selecting it and clicking on the right-arrow.
|
||
|
|
</para>
|
||
|
|
</section>
|
||
|
|
</chapter>
|