keycloak-scim/docbook/reference/en/en-US/modules/admin-permissions.xml

<chapter id="admin-permissions">
    <title>Master Admin Access Control</title>
    <para>
        You can create and manage multiple realms by logging into the <literal>master</literal> Keycloak admin console
        at <literal>/{keycloak-root}/admin/index.html</literal>
    </para>
    <para>
        Users in the Keycloak <literal>master</literal> realm can be granted permission to manage zero or more realms that are
        deployed on the Keycloak server.  When a realm is created, Keycloak automatically creates various roles that grant fine-grain
        permissions to access that new realm.
        Access to The Admin Console and REST endpoints can be controlled by mapping these roles to users in the <literal>master</literal> realm.
        It's possible to create multiple super users as well as users that have only access to certain operations in specific realms.
    </para>
    <section>
        <title>Global Roles</title>
        <para>
            There are two realm roles in the <literal>master</literal> realm. These are:
            <itemizedlist>
                <listitem>
                    <literal>admin</literal> - This is the super-user role and grants permissions to all operations on all realms
                </listitem>
                <listitem>
                    <literal>create-realm</literal> - This grants the user permission to create new realms. A user that creates a realm is granted all permissions to the newly created realm.
                </listitem>
            </itemizedlist>
        </para>
        <para>
            To add these roles to a user select the <literal>master</literal> realm, then click on <literal>Users</literal>.
            Find the user you want to grant permissions to, open the user and click on <literal>Role Mappings</literal>. Under
            <literal>Realm Roles</literal> assign any of the above roles to the user by selecting it and clicking on the right-arrow.
        </para>
    </section>

    <section>
        <title>Realm Specific Roles</title>
        <para>
            Each realm in Keycloak is represented by an application in the <literal>master</literal> realm. The name of the application
            is <literal>&lt;realm name&gt;-realm</literal>. This allows assigning access to users for individual realms. The
            roles available are:
            <itemizedlist>
                <listitem>
                    <literal>view-realm</literal> - View the realm configuration
                </listitem>
                <listitem>
                    <literal>view-users</literal> - View users (including details for specific user) in the realm
                </listitem>
                <listitem>
                    <literal>view-applications</literal> - View applications in the realm
                </listitem>
                <listitem>
                    <literal>view-clients</literal> - View clients in the realm
                </listitem>
                <listitem>
                    <literal>view-events</literal> - View events in the realm
                </listitem>

                <listitem>
                    <literal>manage-realm</literal> - Modify the realm configuration (and delete the realm)
                </listitem>
                <listitem>
                    <literal>manage-users</literal> - Create, modify and delete users in the realm
                </listitem>
                <listitem>
                    <literal>manage-applications</literal> - Create, modify and delete applications in the realm
                </listitem>
                <listitem>
                    <literal>manage-clients</literal> - Create, modify and delete clients in the realm
                </listitem>
                <listitem>
                    <literal>manage-events</literal> - Enable/disable events, clear logged events and manage event listeners
                </listitem>
            </itemizedlist>
            Manage roles includes permissions to view (for example a user with manage-realm role can also view the realm configuration).
        </para>
        <para>
            To add these roles to a user select the <literal>master</literal> realm, then click on <literal>Users</literal>.
            Find the user you want to grant permissions to, open the user and click on <literal>Role Mappings</literal>. Under
            <literal>Application Roles</literal> select the application that represents the realm you're adding permissions to
            (<literal>&lt;realm name&gt;-realm</literal>), then assign any of the above roles to the user by selecting it and clicking on the right-arrow.
        </para>
    </section>
</chapter>
Added documentation for admin access control 2014-03-06 13:33:53 +00:00			`<chapter id="admin-permissions">`
update docs 2014-05-28 13:31:33 +00:00			`<title>Master Admin Access Control</title>`
Added documentation for admin access control 2014-03-06 13:33:53 +00:00			`<para>`
update docs 2014-05-28 13:31:33 +00:00			`You can create and manage multiple realms by logging into the <literal>master</literal> Keycloak admin console`
Fix typo in docs 2014-05-29 08:28:54 +00:00			`at <literal>/{keycloak-root}/admin/index.html</literal>`
update docs 2014-05-28 13:31:33 +00:00			`</para>`
			`<para>`
			`Users in the Keycloak <literal>master</literal> realm can be granted permission to manage zero or more realms that are`
			`deployed on the Keycloak server. When a realm is created, Keycloak automatically creates various roles that grant fine-grain`
			`permissions to access that new realm.`
			`Access to The Admin Console and REST endpoints can be controlled by mapping these roles to users in the <literal>master</literal> realm.`
Added documentation for admin access control 2014-03-06 13:33:53 +00:00			`It's possible to create multiple super users as well as users that have only access to certain operations in specific realms.`
			`</para>`
			`<section>`
			`<title>Global Roles</title>`
			`<para>`
update docs 2014-05-28 13:31:33 +00:00			`There are two realm roles in the <literal>master</literal> realm. These are:`
Added documentation for admin access control 2014-03-06 13:33:53 +00:00			`<itemizedlist>`
			`<listitem>`
			`<literal>admin</literal> - This is the super-user role and grants permissions to all operations on all realms`
			`</listitem>`
			`<listitem>`
			`<literal>create-realm</literal> - This grants the user permission to create new realms. A user that creates a realm is granted all permissions to the newly created realm.`
			`</listitem>`
			`</itemizedlist>`
			`</para>`
			`<para>`
update docs 2014-05-28 13:31:33 +00:00			`To add these roles to a user select the <literal>master</literal> realm, then click on <literal>Users</literal>.`
Added documentation for admin access control 2014-03-06 13:33:53 +00:00			`Find the user you want to grant permissions to, open the user and click on <literal>Role Mappings</literal>. Under`
			`<literal>Realm Roles</literal> assign any of the above roles to the user by selecting it and clicking on the right-arrow.`
			`</para>`
			`</section>`

			`<section>`
			`<title>Realm Specific Roles</title>`
			`<para>`
update docs 2014-05-28 13:31:33 +00:00			`Each realm in Keycloak is represented by an application in the <literal>master</literal> realm. The name of the application`
Added documentation for admin access control 2014-03-06 13:33:53 +00:00			`is <literal><realm name>-realm</literal>. This allows assigning access to users for individual realms. The`
			`roles available are:`
			`<itemizedlist>`
			`<listitem>`
			`<literal>view-realm</literal> - View the realm configuration`
			`</listitem>`
			`<listitem>`
			`<literal>view-users</literal> - View users (including details for specific user) in the realm`
			`</listitem>`
			`<listitem>`
			`<literal>view-applications</literal> - View applications in the realm`
			`</listitem>`
			`<listitem>`
			`<literal>view-clients</literal> - View clients in the realm`
			`</listitem>`
KEYCLOAK-744 Document view-event and manage-event roles 2014-10-13 12:02:20 +00:00			`<listitem>`
			`<literal>view-events</literal> - View events in the realm`
			`</listitem>`
Added documentation for admin access control 2014-03-06 13:33:53 +00:00
			`<listitem>`
			`<literal>manage-realm</literal> - Modify the realm configuration (and delete the realm)`
			`</listitem>`
			`<listitem>`
			`<literal>manage-users</literal> - Create, modify and delete users in the realm`
			`</listitem>`
			`<listitem>`
			`<literal>manage-applications</literal> - Create, modify and delete applications in the realm`
			`</listitem>`
			`<listitem>`
			`<literal>manage-clients</literal> - Create, modify and delete clients in the realm`
			`</listitem>`
KEYCLOAK-744 Document view-event and manage-event roles 2014-10-13 12:02:20 +00:00			`<listitem>`
			`<literal>manage-events</literal> - Enable/disable events, clear logged events and manage event listeners`
			`</listitem>`
Added documentation for admin access control 2014-03-06 13:33:53 +00:00			`</itemizedlist>`
			`Manage roles includes permissions to view (for example a user with manage-realm role can also view the realm configuration).`
			`</para>`
			`<para>`
update docs 2014-05-28 13:31:33 +00:00			`To add these roles to a user select the <literal>master</literal> realm, then click on <literal>Users</literal>.`
Added documentation for admin access control 2014-03-06 13:33:53 +00:00			`Find the user you want to grant permissions to, open the user and click on <literal>Role Mappings</literal>. Under`
			`<literal>Application Roles</literal> select the application that represents the realm you're adding permissions to`
			`(<literal><realm name>-realm</literal>), then assign any of the above roles to the user by selecting it and clicking on the right-arrow.`
			`</para>`
			`</section>`
update docs 2014-05-28 13:31:33 +00:00			`</chapter>`