admin console work

core/src/test/java/org/keycloak/RSAVerifierTest.java

@@ -234,13 +234,16 @@ public class RSAVerifierTest {
     public void testTokenAuth() throws Exception {
         token = new AccessToken();
         token.subject("CN=Client")
-                .issuer("domain")
+                .issuer("http://localhost:8080/auth/realms/demo")
                 .addAccess("service").addRole("admin").verifyCaller(true);
+        token.setEmail("bill@jboss.org");
 
         String encoded = new JWSBuilder()
                 .jsonContent(token)
                 .rsa256(idpPair.getPrivate());
 
+        System.out.println("token size: " + encoded.length());
+
         AccessToken v = null;
         try {
             v = verifySkeletonKeyToken(encoded);

services/src/main/java/org/keycloak/services/resources/admin/AuthenticationManagementResource.java

@@ -137,7 +137,7 @@ public class AuthenticationManagementResource {
     @NoCache
     @Produces(MediaType.APPLICATION_JSON)
     public List<Map<String, Object>> getClientAuthenticatorProviders() {
-        auth.realm().requireViewRealm();
+        auth.requireAnyAdminRole();
 
         List<ProviderFactory> factories = session.getKeycloakSessionFactory().getProviderFactories(ClientAuthenticator.class);
         return buildProviderMetadata(factories);
@@ -959,7 +959,7 @@ public class AuthenticationManagementResource {
     @Produces(MediaType.APPLICATION_JSON)
     @NoCache
     public Map<String, List<ConfigPropertyRepresentation>> getPerClientConfigDescription() {
-        auth.realm().requireViewRealm();
+        auth.requireAnyAdminRole();
 
         List<ProviderFactory> factories = session.getKeycloakSessionFactory().getProviderFactories(ClientAuthenticator.class);
 

services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java

@@ -115,7 +115,7 @@ public class ClientAttributeCertificateResource {
     @Path("generate")
     @Produces(MediaType.APPLICATION_JSON)
     public CertificateRepresentation generate() {
-        auth.clients().requireManage(client);
+        auth.clients().requireConfigure(client);
 
         CertificateRepresentation info = KeycloakModelUtils.generateKeyPairCertificate(client.getClientId());
 
@@ -139,7 +139,7 @@ public class ClientAttributeCertificateResource {
     @Consumes(MediaType.MULTIPART_FORM_DATA)
     @Produces(MediaType.APPLICATION_JSON)
     public CertificateRepresentation uploadJks(@Context final UriInfo uriInfo, MultipartFormDataInput input) throws IOException {
-        auth.clients().requireManage(client);
+        auth.clients().requireConfigure(client);
 
         try {
             CertificateRepresentation info = getCertFromRequest(input);
@@ -165,7 +165,7 @@ public class ClientAttributeCertificateResource {
     @Consumes(MediaType.MULTIPART_FORM_DATA)
     @Produces(MediaType.APPLICATION_JSON)
     public CertificateRepresentation uploadJksCertificate(@Context final UriInfo uriInfo, MultipartFormDataInput input) throws IOException {
-        auth.clients().requireManage(client);
+        auth.clients().requireConfigure(client);
 
         try {
             CertificateRepresentation info = getCertFromRequest(input);
@@ -306,7 +306,7 @@ public class ClientAttributeCertificateResource {
     @Produces(MediaType.APPLICATION_OCTET_STREAM)
     @Consumes(MediaType.APPLICATION_JSON)
     public byte[] generateAndGetKeystore(final KeyStoreConfig config) {
-        auth.clients().requireManage(client);
+        auth.clients().requireConfigure(client);
 
         if (config.getFormat() != null && !config.getFormat().equals("JKS") && !config.getFormat().equals("PKCS12")) {
             throw new NotAcceptableException("Only support jks or pkcs12 format.");

services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java

@@ -27,6 +27,7 @@ import org.keycloak.events.admin.OperationType;
 import org.keycloak.events.admin.ResourceType;
 import org.keycloak.models.AuthenticatedClientSessionModel;
 import org.keycloak.models.ClientModel;
+import org.keycloak.models.ClientTemplateModel;
 import org.keycloak.models.Constants;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.ModelDuplicateException;
@@ -41,6 +42,7 @@ import org.keycloak.models.utils.RepresentationToModel;
 import org.keycloak.protocol.ClientInstallationProvider;
 import org.keycloak.representations.adapters.action.GlobalRequestResult;
 import org.keycloak.representations.idm.ClientRepresentation;
+import org.keycloak.representations.idm.ClientTemplateRepresentation;
 import org.keycloak.representations.idm.CredentialRepresentation;
 import org.keycloak.representations.idm.ManagementPermissionReference;
 import org.keycloak.representations.idm.UserRepresentation;
@@ -134,7 +136,7 @@ public class ClientResource {
     @PUT
     @Consumes(MediaType.APPLICATION_JSON)
     public Response update(final ClientRepresentation rep) {
-        auth.clients().requireManage(client);
+        auth.clients().requireConfigure(client);
 
         ValidationMessages validationMessages = new ValidationMessages();
         if (!ClientValidator.validate(rep, validationMessages) || !PairwiseClientValidator.validate(session, rep, validationMessages)) {
@@ -227,7 +229,7 @@ public class ClientResource {
     @Produces(MediaType.APPLICATION_JSON)
     @Consumes(MediaType.APPLICATION_JSON)
     public CredentialRepresentation regenerateSecret() {
-        auth.clients().requireManage(client);
+        auth.clients().requireConfigure(client);
 
         logger.debug("regenerateSecret");
         UserCredentialModel cred = KeycloakModelUtils.generateSecret(client);
@@ -326,7 +328,7 @@ public class ClientResource {
     @POST
     @Produces(MediaType.APPLICATION_JSON)
     public GlobalRequestResult pushRevocation() {
-        auth.clients().requireManage(client);
+        auth.clients().requireConfigure(client);
 
         adminEvent.operation(OperationType.ACTION).resourcePath(uriInfo).resource(ResourceType.CLIENT).success();
         return new ResourceAdminManager(session).pushClientRevocationPolicy(uriInfo.getRequestUri(), realm, client);
@@ -456,7 +458,7 @@ public class ClientResource {
     @POST
     @Consumes(MediaType.APPLICATION_JSON)
     public void registerNode(Map<String, String> formParams) {
-        auth.clients().requireManage(client);
+        auth.clients().requireConfigure(client);
 
         String node = formParams.get("node");
         if (node == null) {
@@ -476,7 +478,7 @@ public class ClientResource {
     @DELETE
     @NoCache
     public void unregisterNode(final @PathParam("node") String node) {
-        auth.clients().requireManage(client);
+        auth.clients().requireConfigure(client);
 
         if (logger.isDebugEnabled()) logger.debug("Unregister node: " + node);
 
@@ -500,7 +502,7 @@ public class ClientResource {
     @NoCache
     @Produces(MediaType.APPLICATION_JSON)
     public GlobalRequestResult testNodesAvailable() {
-        auth.clients().requireManage(client);
+        auth.clients().requireConfigure(client);
 
         logger.debug("Test availability of cluster nodes");
         GlobalRequestResult result = new ResourceAdminManager(session).testNodesAvailability(uriInfo.getRequestUri(), realm, client);
@@ -583,6 +585,30 @@ public class ClientResource {
             new ClientManager(new RealmManager(session)).clientIdChanged(client, rep.getClientId());
         }
 
+        if (rep.isFullScopeAllowed() != null && rep.isFullScopeAllowed().booleanValue() != client.isFullScopeAllowed()) {
+            auth.clients().requireManage(client);
+        }
+
+        if (rep.getClientTemplate() != null) {
+            ClientTemplateModel currTemplate = client.getClientTemplate();
+            if (currTemplate == null) {
+                if (!rep.getClientTemplate().equals(ClientTemplateRepresentation.NONE)) {
+                    auth.clients().requireManage(client);
+                }
+            }  else if (!rep.getClientTemplate().equals(currTemplate.getName())){
+                auth.clients().requireManage(client);
+            }
+            if ((rep.isUseTemplateConfig() != null && rep.isUseTemplateConfig().booleanValue() != client.useTemplateConfig())
+                    || (rep.isUseTemplateScope() != null && rep.isUseTemplateScope().booleanValue() != client.useTemplateScope())
+                    || (rep.isUseTemplateMappers() != null && rep.isUseTemplateMappers().booleanValue() != client.useTemplateMappers())
+
+                    ) {
+                auth.clients().requireManage(client);
+            }
+        }
+
+
+
         RepresentationToModel.updateClient(rep, client);
     }
 

services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionEvaluator.java

@@ -56,6 +56,10 @@ public interface ClientPermissionEvaluator {
 
     boolean canManage(ClientModel client);
 
+    boolean canConfigure(ClientModel client);
+
+    void requireConfigure(ClientModel client);
+
     void requireManage(ClientModel client);
 
     boolean canView(ClientModel client);

services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionManagement.java

@@ -31,6 +31,7 @@ public interface ClientPermissionManagement {
     public static final String MAP_ROLES_SCOPE = "map-roles";
     public static final String MAP_ROLES_CLIENT_SCOPE = "map-roles-client-scope";
     public static final String MAP_ROLES_COMPOSITE_SCOPE = "map-roles-composite";
+    public static final String CONFIGURE_SCOPE = "configure";
 
     boolean isPermissionsEnabled(ClientModel client);
 
@@ -48,6 +49,8 @@ public interface ClientPermissionManagement {
 
     Policy managePermission(ClientModel client);
 
+    Policy configurePermission(ClientModel client);
+
     Policy viewPermission(ClientModel client);
 
     ResourceServer resourceServer(ClientModel client);

services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java

@@ -63,6 +63,9 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
     private String getManagePermissionName(ClientModel client) {
         return "manage.permission.client." + client.getId();
     }
+    private String getConfigurePermissionName(ClientModel client) {
+        return "configure.permission.client." + client.getId();
+    }
     private String getViewPermissionName(ClientModel client) {
         return "view.permission.client." + client.getId();
     }
@@ -98,6 +101,10 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
         if (mapRoleCompositeScope == null) {
             mapRoleCompositeScope = authz.getStoreFactory().getScopeStore().create(MAP_ROLES_COMPOSITE_SCOPE, server);
         }
+        Scope configureScope = authz.getStoreFactory().getScopeStore().findByName(CONFIGURE_SCOPE, server.getId());
+        if (configureScope == null) {
+            configureScope = authz.getStoreFactory().getScopeStore().create(CONFIGURE_SCOPE, server);
+        }
 
         String resourceName = getResourceName(client);
         Resource resource = authz.getStoreFactory().getResourceStore().findByName(resourceName, server.getId());
@@ -105,6 +112,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
             resource = authz.getStoreFactory().getResourceStore().create(resourceName, server, server.getClientId());
             resource.setType("Client");
             Set<Scope> scopeset = new HashSet<>();
+            scopeset.add(configureScope);
             scopeset.add(manageScope);
             scopeset.add(viewScope);
             scopeset.add(mapRoleScope);
@@ -117,6 +125,11 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
         if (managePermission == null) {
             Helper.addEmptyScopePermission(authz, server, managePermissionName, resource, manageScope);
         }
+        String configurePermissionName = getConfigurePermissionName(client);
+        Policy configurePermission = authz.getStoreFactory().getPolicyStore().findByName(configurePermissionName, server.getId());
+        if (configurePermission == null) {
+            Helper.addEmptyScopePermission(authz, server, configurePermissionName, resource, configureScope);
+        }
         String viewPermissionName = getViewPermissionName(client);
         Policy viewPermission = authz.getStoreFactory().getPolicyStore().findByName(viewPermissionName, server.getId());
         if (viewPermission == null) {
@@ -139,8 +152,8 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
         }
     }
 
-    private void deletePolicy(String name, ClientModel client, ResourceServer server) {
+    private void deletePolicy(String name, ResourceServer server) {
-        Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getViewPermissionName(client), server.getId());
+        Policy policy = authz.getStoreFactory().getPolicyStore().findByName(name, server.getId());
         if (policy != null) {
             authz.getStoreFactory().getPolicyStore().delete(policy.getId());
         }
@@ -150,11 +163,12 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
     private void deletePermissions(ClientModel client) {
         ResourceServer server = resourceServer(client);
         if (server == null) return;
-        deletePolicy(getManagePermissionName(client), client, server);
+        deletePolicy(getManagePermissionName(client), server);
-        deletePolicy(getViewPermissionName(client), client, server);
+        deletePolicy(getViewPermissionName(client), server);
-        deletePolicy(getMapRolesPermissionName(client), client, server);
+        deletePolicy(getMapRolesPermissionName(client), server);
-        deletePolicy(getMapRolesClientScopePermissionName(client), client, server);
+        deletePolicy(getMapRolesClientScopePermissionName(client), server);
-        deletePolicy(getMapRolesCompositePermissionName(client), client, server);
+        deletePolicy(getMapRolesCompositePermissionName(client), server);
+        deletePolicy(getConfigurePermissionName(client), server);
         Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());;
         if (resource != null) authz.getStoreFactory().getResourceStore().delete(resource.getId());
     }
@@ -182,6 +196,10 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
         return authz.getStoreFactory().getScopeStore().findByName(AdminPermissionManagement.MANAGE_SCOPE, server.getId());
     }
 
+    private Scope configureScope(ResourceServer server) {
+        return authz.getStoreFactory().getScopeStore().findByName(CONFIGURE_SCOPE, server.getId());
+    }
+
     private Scope viewScope(ResourceServer server) {
         return authz.getStoreFactory().getScopeStore().findByName(AdminPermissionManagement.VIEW_SCOPE, server.getId());
     }
@@ -259,6 +277,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
         scopes.put(MAP_ROLES_COMPOSITE_SCOPE, mapRolesCompositePermission(client).getId());
         scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(client).getId());
         scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission(client).getId());
+        scopes.put(CONFIGURE_SCOPE, configurePermission(client).getId());
         return scopes;
     }
 
@@ -291,6 +310,41 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
         return root.evaluatePermission(resource, scope, server);
     }
 
+    @Override
+    public boolean canConfigure(ClientModel client) {
+        if (canManage(client)) return true;
+        if (!root.isAdminSameRealm()) {
+            return false;
+        }
+
+        ResourceServer server = resourceServer(client);
+        if (server == null) return false;
+
+        Resource resource =  authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());
+        if (resource == null) return false;
+
+        Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getConfigurePermissionName(client), server.getId());
+        if (policy == null) {
+            return false;
+        }
+
+        Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
+        // if no policies attached to permission then just do default behavior
+        if (associatedPolicies == null || associatedPolicies.isEmpty()) {
+            return false;
+        }
+
+        Scope scope = configureScope(server);
+        return root.evaluatePermission(resource, scope, server);
+    }
+    @Override
+    public void requireConfigure(ClientModel client) {
+        if (!canConfigure(client)) {
+            throw new ForbiddenException();
+        }
+    }
+
+
     @Override
     public void requireManage(ClientModel client) {
         if (!canManage(client)) {
@@ -300,7 +354,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
 
     @Override
     public boolean canView(ClientModel client) {
-        return hasView(client) || canManage(client);
+        return hasView(client) || canConfigure(client);
     }
 
     private boolean hasView(ClientModel client) {
@@ -437,6 +491,13 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
         return authz.getStoreFactory().getPolicyStore().findByName(getManagePermissionName(client), server.getId());
     }
 
+    @Override
+    public Policy configurePermission(ClientModel client) {
+        ResourceServer server = resourceServer(client);
+        if (server == null) return null;
+        return authz.getStoreFactory().getPolicyStore().findByName(getConfigurePermissionName(client), server.getId());
+    }
+
     @Override
     public Policy viewPermission(ClientModel client) {
         ResourceServer server = resourceServer(client);
@@ -499,6 +560,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
         Map<String, Boolean> map = new HashMap<>();
         map.put("view", canView(client));
         map.put("manage", canManage(client));
+        map.put("configure", canConfigure(client));
         return map;
     }
 

services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java

@@ -41,9 +41,9 @@ import java.util.Set;
 class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManagement {
     private static final Logger logger = Logger.getLogger(GroupPermissions.class);
     public static final String MAP_ROLE_SCOPE = "map-role";
-    public static final String MANAGE_MEMBERSHIP_SCOPE = "manage.membership";
+    public static final String MANAGE_MEMBERSHIP_SCOPE = "manage-membership";
-    public static final String MANAGE_MEMBERS_SCOPE = "manage.members";
+    public static final String MANAGE_MEMBERS_SCOPE = "manage-members";
-    public static final String VIEW_MEMBERS_SCOPE = "view.members";
+    public static final String VIEW_MEMBERS_SCOPE = "view-members";
     protected final KeycloakSession session;
     protected final RealmModel realm;
     protected final AuthorizationProvider authz;

services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java

@@ -319,7 +319,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
         if (container instanceof RealmModel) {
             return root.realm().canManageRealm();
         } else {
-            return root.clients().canManage((ClientModel)container);
+            return root.clients().canConfigure((ClientModel)container);
         }
     }
 

services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java

@@ -127,6 +127,7 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme
         scopes.put(MAP_ROLES_SCOPE, mapRolesPermission().getId());
         scopes.put(MANAGE_GROUP_MEMBERSHIP_SCOPE, manageGroupMembershipPermission().getId());
         scopes.put(IMPERSONATE_SCOPE, adminImpersonatingPermission().getId());
+        scopes.put(USER_IMPERSONATED_SCOPE, userImpersonatedPermission().getId());
         return scopes;
     }
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java

@@ -22,9 +22,11 @@ import org.keycloak.admin.client.Keycloak;
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.AuthorizationProviderFactory;
 import org.keycloak.authorization.model.Resource;
+import org.keycloak.models.ClientTemplateModel;
 import org.keycloak.models.GroupModel;
 import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.models.utils.RepresentationToModel;
+import org.keycloak.representations.idm.ClientTemplateRepresentation;
 import org.keycloak.representations.idm.authorization.Logic;
 import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
 import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
@@ -85,6 +87,8 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
         RoleModel salesAppsAdminRole = realm.addRole("sales-apps-admin");
         salesAppsAdminRole.addCompositeRole(clientAdmin);
         salesAppsAdminRole.addCompositeRole(client2Admin);
+        ClientModel realmManagementClient = realm.getClientByClientId("realm-management");
+        RoleModel queryClient = realmManagementClient.getRole(AdminRoles.QUERY_CLIENTS);
 
 
         UserModel admin = session.users().addUser(realm, "salesManager");
@@ -99,6 +103,10 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
         admin = session.users().addUser(realm, "sales-pipeline-admin");
         admin.setEnabled(true);
         session.userCredentialManager().updateCredential(realm, admin, UserCredentialModel.password("password"));
+        admin = session.users().addUser(realm, "client-admin");
+        admin.setEnabled(true);
+        admin.grantRole(queryClient);
+        session.userCredentialManager().updateCredential(realm, admin, UserCredentialModel.password("password"));
 
         UserModel user = session.users().addUser(realm, "salesman");
         user.setEnabled(true);
@@ -115,6 +123,8 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
         RoleModel realmRole = realm.addRole("realm-role");
         RoleModel realmRole2 = realm.addRole("realm-role2");
         ClientModel client1 = realm.addClient(CLIENT_NAME);
+        ClientTemplateModel template = realm.addClientTemplate("template");
+        client1.setFullScopeAllowed(false);
         RoleModel client1Role = client1.addRole("client-role");
         GroupModel group = realm.createGroup("top");
 
@@ -280,6 +290,19 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
         clientManagerPolicy.addAssociatedPolicy(userPolicy);
 
 
+        UserModel clientConfigurer = session.users().addUser(realm, "clientConfigurer");
+        clientConfigurer.setEnabled(true);
+        clientConfigurer.grantRole(queryClientsRole);
+        session.userCredentialManager().updateCredential(realm, clientConfigurer, UserCredentialModel.password("password"));
+
+        Policy clientConfigurePolicy = permissions.clients().configurePermission(client);
+        userRep = new UserPolicyRepresentation();
+        userRep.setName("clientConfigure");
+        userRep.addUser("clientConfigurer");
+        userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(userRep, permissions.clients().resourceServer(client));
+        clientConfigurePolicy.addAssociatedPolicy(userPolicy);
+
+
 
 
 
@@ -364,20 +387,13 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
     protected boolean isImportAfterEachMethod() {
         return true;
     }
-    //@Test
+    @Test
     public void testDemo() throws Exception {
         testingClient.server().run(FineGrainAdminUnitTest::setupDemo);
         Thread.sleep(1000000000);
     }
 
 
-    //@Test
-    public void testUI() throws Exception {
-        testingClient.server().run(FineGrainAdminUnitTest::setupPolices);
-        testingClient.server().run(FineGrainAdminUnitTest::setupUsers);
-        Thread.sleep(1000000000);
-    }
-
     @Test
     public void testEvaluationLocal() throws Exception {
         testingClient.server().run(FineGrainAdminUnitTest::setupPolices);
@@ -400,10 +416,48 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
         List<RoleRepresentation> realmRole2Set = new LinkedList<>();
         realmRole2Set.add(realmRole2);
         ClientRepresentation client = adminClient.realm(TEST).clients().findByClientId(CLIENT_NAME).get(0);
+        ClientTemplateRepresentation template = adminClient.realm(TEST).clientTemplates().findAll().get(0);
         RoleRepresentation clientRole = adminClient.realm(TEST).clients().get(client.getId()).roles().get("client-role").toRepresentation();
         List<RoleRepresentation> clientRoleSet = new LinkedList<>();
         clientRoleSet.add(clientRole);
 
+        // test configure client
+        {
+            Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
+                    TEST, "clientConfigurer", "password", Constants.ADMIN_CLI_CLIENT_ID, null);
+            client.setAdminUrl("http://nowhere");
+            realmClient.realm(TEST).clients().get(client.getId()).update(client);
+            client.setFullScopeAllowed(true);
+            try {
+                realmClient.realm(TEST).clients().get(client.getId()).update(client);
+                Assert.fail("should fail with forbidden exception");
+            } catch (ClientErrorException e) {
+                Assert.assertEquals(e.getResponse().getStatus(), 403);
+
+            }
+            client.setFullScopeAllowed(false);
+            realmClient.realm(TEST).clients().get(client.getId()).update(client);
+
+            client.setClientTemplate(template.getName());
+            try {
+                realmClient.realm(TEST).clients().get(client.getId()).update(client);
+                Assert.fail("should fail with forbidden exception");
+            } catch (ClientErrorException e) {
+                Assert.assertEquals(e.getResponse().getStatus(), 403);
+
+            }
+            client.setClientTemplate(null);
+            realmClient.realm(TEST).clients().get(client.getId()).update(client);
+
+            try {
+                realmClient.realm(TEST).clients().get(client.getId()).getScopeMappings().realmLevel().add(realmRoleSet);
+                Assert.fail("should fail with forbidden exception");
+            } catch (ClientErrorException e) {
+                Assert.assertEquals(e.getResponse().getStatus(), 403);
+
+            }
+        }
+
         // test illegal impersonation
         {
             Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),

themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties

@@ -1326,9 +1326,9 @@ manage-permissions-client.tooltip=Fine grain permssions for admins that want to
 manage-permissions-group.tooltip=Fine grain permssions for admins that want to manage this group or the members of this group.
 manage-authz-group-scope-description=Policies that decide if an admin can manage this group
 view-authz-group-scope-description=Policies that decide if an admin can view this group
-view.members-authz-group-scope-description=Policies that decide if an admin can manage the members of this group
+view-members-authz-group-scope-description=Policies that decide if an admin can manage the members of this group
-manage.members-authz-group-scope-description=Policies that decide if an admin can view the members of this group
 manage-authz-client-scope-description=Policies that decide if an admin can manage this client
+configure-authz-client-scope-description=Reduced management permissions for admin.  Cannot set scope, template, or protocol mappers.
 view-authz-client-scope-description=Policies that decide if an admin can view this client
 map-roles-authz-client-scope-description=Policies that decide if an admin can map roles defined by this client
 map-roles-client-scope-authz-client-scope-description=Policies that decide if an admin can apply roles defined by this client to the client scope of another client
@@ -1336,6 +1336,11 @@ map-roles-composite-authz-client-scope-description=Policies that decide if an ad
 map-role-authz-role-scope-description=Policies that decide if an admin can map role this role to a user or group
 map-role-client-scope-authz-role-scope-description=Policies that decide if an admin can apply this role to the client scope of a client
 map-role-composite-authz-role-scope-description=Policies that decide if an admin can apply this role as a composite to another role
-
+manage-group-membership-authz-users-scope-description=Policies that decide if an admin can manage group membership for all users in the realm.  This is used in conjunction with specific group policy
+impersonate-authz-users-scope-description=Policies that decide if admin can impersonate other users
+map-roles-authz-users-scope-description=Policies that decide if admin can map roles for all users
+user-impersonated-authz-users-scope-description=Policies that decide which users can be impersonated.  These policies are applied to the user being impersonated.
+manage-membership-authz-group-scope-description=Policies that decide if admin can add or remove users from this group
+manage-members-authz-group-scope-description=Policies that decide if an admin can manage the members of this group
 
 

themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js

@@ -2507,7 +2507,7 @@ module.controller('RealmRolePermissionsCtrl', function($scope, $http, $route, $l
 
 
 });
-module.controller('ClientRolePermissionsCtrl', function($scope, $http, $route, $location, realm, client, role, RoleManagementPermissions, Client, Notifications) {
+module.controller('ClientRolePermissionsCtrl', function($scope, $http, $route, $location, realm, client, role, Client, RoleManagementPermissions, Client, Notifications) {
     console.log('RealmRolePermissionsCtrl');
     $scope.client = client;
     $scope.role = role;
@@ -2515,6 +2515,9 @@ module.controller('ClientRolePermissionsCtrl', function($scope, $http, $route, $
     RoleManagementPermissions.get({realm: realm.realm, role: role.id}, function(data) {
         $scope.permissions = data;
     });
+    Client.query({realm: realm.realm, clientId: getManageClientId(realm)}, function(data) {
+        $scope.realmManagementClientId = data[0].id;
+    });
     $scope.setEnabled = function() {
         console.log('perssions enabled: ' + $scope.permissions.enabled);
         var param = { enabled: $scope.permissions.enabled};
@@ -2542,12 +2545,15 @@ module.controller('UsersPermissionsCtrl', function($scope, $http, $route, $locat
 
 });
 
-module.controller('ClientPermissionsCtrl', function($scope, $http, $route, $location, realm, client, ClientManagementPermissions, Notifications) {
+module.controller('ClientPermissionsCtrl', function($scope, $http, $route, $location, realm, client, Client, ClientManagementPermissions, Notifications) {
     $scope.client = client;
     $scope.realm = realm;
     ClientManagementPermissions.get({realm: realm.realm, client: client.id}, function(data) {
         $scope.permissions = data;
     });
+    Client.query({realm: realm.realm, clientId: getManageClientId(realm)}, function(data) {
+        $scope.realmManagementClientId = data[0].id;
+    });
     $scope.setEnabled = function() {
         var param = { enabled: $scope.permissions.enabled};
         $scope.permissions = ClientManagementPermissions.update({realm: realm.realm, client: client.id}, param);

themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-permissions.html

@@ -27,9 +27,9 @@
         </thead>
         <tbody>
         <tr ng-repeat="(scopeName, scopeId) in permissions.scopePermissions">
-            <td><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server/permission/scope/{{scopeId}}">{{scopeName}}</a></td>
+            <td><a href="#/realms/{{realm.realm}}/clients/{{realmManagementClientId}}/authz/resource-server/permission/scope/{{scopeId}}">{{scopeName}}</a></td>
             <td translate="{{scopeName}}-authz-client-scope-description"></td>
-            <td class="kc-action-cell" kc-open="/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server/permission/scope/{{scopeId}}">{{:: 'edit' | translate}}</td>
+            <td class="kc-action-cell" kc-open="/realms/{{realm.realm}}/clients/{{realmManagementClientId}}/authz/resource-server/permission/scope/{{scopeId}}">{{:: 'edit' | translate}}</td>
         </tr>
         </tbody>
     </table>

themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-role-permissions.html

@@ -28,9 +28,9 @@
         </thead>
         <tbody>
         <tr ng-repeat="(scopeName, scopeId) in permissions.scopePermissions">
-            <td><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server/permission/scope/{{scopeId}}">{{scopeName}}</a></td>
+            <td><a href="#/realms/{{realm.realm}}/clients/{{realmManagementClientId}}/authz/resource-server/permission/scope/{{scopeId}}">{{scopeName}}</a></td>
             <td translate="{{scopeName}}-authz-role-scope-description"></td>
-            <td class="kc-action-cell" kc-open="/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server/permission/scope/{{scopeId}}">{{:: 'edit' | translate}}</td>
+            <td class="kc-action-cell" kc-open="/realms/{{realm.realm}}/clients/{{realmManagementClientId}}/authz/resource-server/permission/scope/{{scopeId}}">{{:: 'edit' | translate}}</td>
         </tr>
         </tbody>
     </table>

themes/src/main/resources/theme/base/admin/resources/partials/client-clustering-node.html

@@ -10,10 +10,10 @@
     <h1 data-ng-show="create">{{:: 'add-node' | translate}}</h1>
     <h1 data-ng-hide="create">
         {{node.host|capitalize}}
-        <i id="removeClient" class="pficon pficon-delete clickable" data-ng-show="client.access.manage" data-ng-click="unregisterNode()"></i>
+        <i id="removeClient" class="pficon pficon-delete clickable" data-ng-show="client.access.configure" data-ng-click="unregisterNode()"></i>
     </h1>
 
-    <form class="form-horizontal" name="clusteringForm" novalidate kc-read-only="!client.access.manage" data-ng-show="create || registered">
+    <form class="form-horizontal" name="clusteringForm" novalidate kc-read-only="!client.access.configure" data-ng-show="create || registered">
         <div class="form-group">
             <label class="col-md-2 control-label" for="host">{{:: 'host' | translate}}</label>
             <div class="col-sm-6">
@@ -27,7 +27,7 @@
             </div>
         </div>
         <div class="form-group">
-            <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+            <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
                 <button data-kc-save data-ng-show="create">{{:: 'save' | translate}}</button>
             </div>
         </div>

themes/src/main/resources/theme/base/admin/resources/partials/client-clustering.html

@@ -7,7 +7,7 @@
 
     <kc-tabs-client></kc-tabs-client>
 
-    <form class="form-horizontal" name="clusteringForm" novalidate kc-read-only="!client.access.manage">
+    <form class="form-horizontal" name="clusteringForm" novalidate kc-read-only="!client.access.configure">
         <legend><span class="text">{{:: 'basic-configuration' | translate}}</span></legend>
         <fieldset >
             <div class="form-group clearfix">
@@ -31,7 +31,7 @@
             </div>
 
             <div class="form-group">
-                <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+                <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
                     <button data-kc-save data-ng-disabled="!changed">{{:: 'save' | translate}}</button>
                     <button data-kc-reset data-ng-disabled="!changed">{{:: 'cancel' | translate}}</button>
                 </div>
@@ -43,7 +43,7 @@
             <table class="table table-striped table-bordered">
                 <thead>
                     <tr>
-                        <th class="kc-table-actions" colspan="5" data-ng-show="client.access.manage">
+                        <th class="kc-table-actions" colspan="5" data-ng-show="client.access.configure">
                             <div class="pull-right">
                                 <a class="btn btn-default" tooltip="Manually register cluster node. This is usually not needed as cluster node should be registered automatically by adapter"
                                    tooltip-trigger="mouseover mouseout" tooltip-placement="bottom" href="#/register-node/realms/{{realm.realm}}/clients/{{client.id}}/clustering">{{:: 'register-node-manually' | translate}}</a>

themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-generic.html

@@ -1,11 +1,11 @@
 <div>
-    <form class="form-horizontal no-margin-top" name="credentialForm" novalidate kc-read-only="!client.access.manage" data-ng-show="currentAuthenticatorConfigProperties.length > 0" data-ng-controller="ClientGenericCredentialsCtrl">
+    <form class="form-horizontal no-margin-top" name="credentialForm" novalidate kc-read-only="!client.access.configure" data-ng-show="currentAuthenticatorConfigProperties.length > 0" data-ng-controller="ClientGenericCredentialsCtrl">
         <fieldset>
             <kc-provider-config realm="realm" config="client.attributes" properties="currentAuthenticatorConfigProperties"></kc-provider-config>
         </fieldset>
 
         <div class="form-group">
-            <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+            <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
                 <button kc-save  data-ng-disabled="!changed">{{:: 'save' | translate}}</button>
                 <button kc-reset data-ng-disabled="!changed">{{:: 'cancel' | translate}}</button>
             </div>

themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt-key-export.html

@@ -9,7 +9,7 @@
 
     <h1>{{:: 'generate-private-key' | translate}}</h1>
 
-    <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.manage">
+    <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.configure">
         <input type="text" readonly value="this is not a login form" style="display: none;">
         <input type="password" readonly value="this is not a login form" style="display: none;">
 
@@ -48,7 +48,7 @@
                 <kc-tooltip>{{:: 'store-password.tooltip' | translate}}</kc-tooltip>
             </div>
             <div class="form-group">
-                <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+                <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
                     <button class="btn btn-primary" type="submit" data-ng-click="download()">{{:: 'generate-and-download' | translate}}</button>
                     <button class="btn btn-default" type="submit" data-ng-click="cancel()">{{:: 'cancel' | translate}}</button>
                 </div>

themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt-key-import.html

@@ -9,7 +9,7 @@
 
     <h1>{{:: 'import-client-certificate' | translate}}</h1>
 
-    <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.manage">
+    <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.configure">
         <input type="text" readonly value="this is not a login form" style="display: none;">
         <input type="password" readonly value="this is not a login form" style="display: none;">
 

themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt.html

@@ -1,4 +1,4 @@
- <div class="form-horizontal no-margin-top" name="keyForm" novalidate kc-read-only="!client.access.manage" data-ng-controller="ClientSignedJWTCtrl">
+ <div class="form-horizontal no-margin-top" name="keyForm" novalidate kc-read-only="!client.access.configure" data-ng-controller="ClientSignedJWTCtrl">
 
      <div class="form-group">
          <label class="col-md-2 control-label" for="useJwksUrl">{{:: 'use-jwks-url' | translate}}</label>
@@ -63,7 +63,7 @@
      </div>
 
      <div class="form-group">
-         <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+         <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
              <button class="btn btn-default" type="submit" data-ng-click="generateSigningKey()">{{:: 'gen-new-keys-and-cert' | translate}}</button>
              <button data-ng-disabled="useJwksUrl" class="btn btn-default" type="submit" data-ng-click="importCertificate()">{{:: 'import-certificate' | translate}}</button>
              <button kc-save  data-ng-disabled="!changed" data-ng-click="save()">{{:: 'save' | translate}}</button>

themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-secret.html

@@ -1,5 +1,5 @@
 <div>
-    <form class="form-horizontal no-margin-top" name="credentialForm" novalidate kc-read-only="!client.access.manage" data-ng-controller="ClientSecretCtrl">
+    <form class="form-horizontal no-margin-top" name="credentialForm" novalidate kc-read-only="!client.access.configure" data-ng-controller="ClientSecretCtrl">
         <div class="form-group">
             <label class="col-md-2 control-label" for="secret">{{:: 'secret' | translate}}</label>
             <div class="col-sm-6">
@@ -7,7 +7,7 @@
                     <div class="col-sm-6">
                         <input readonly kc-select-action="click" class="form-control" type="text" id="secret" name="secret" data-ng-model="secret">
                     </div>
-                    <div class="col-sm-6" data-ng-show="client.access.manage">
+                    <div class="col-sm-6" data-ng-show="client.access.configure">
                         <button type="submit" data-ng-click="changePassword()" class="btn btn-default">{{:: 'regenerate-secret' | translate}}</button>
                     </div>
                 </div>

themes/src/main/resources/theme/base/admin/resources/partials/client-credentials.html

@@ -7,7 +7,7 @@
 
     <kc-tabs-client></kc-tabs-client>
 
-    <form class="form-horizontal" name="clientForm" novalidate kc-read-only="!client.access.manage">
+    <form class="form-horizontal" name="clientForm" novalidate kc-read-only="!client.access.configure">
         <fieldset class="border-top">
             <div class="form-group clearfix">
                 <label class="col-md-2 control-label" for="clientAuthenticatorType"> {{:: 'client-authenticator' | translate}}</label>

themes/src/main/resources/theme/base/admin/resources/partials/client-detail.html

@@ -7,7 +7,7 @@
 
     <kc-tabs-client></kc-tabs-client>
 
-    <form class="form-horizontal" name="clientForm" novalidate kc-read-only="!client.access.manage">
+    <form class="form-horizontal" name="clientForm" novalidate kc-read-only="!client.access.configure">
         <fieldset class="border-top">
             <div class="form-group">
                 <label class="col-md-2 control-label" for="clientId">{{:: 'client-id' | translate}}</label>
@@ -57,7 +57,7 @@
                 </div>
                 <kc-tooltip>{{:: 'client-protocol.tooltip' | translate}}</kc-tooltip>
             </div>
-            <div class="form-group">
+            <div class="form-group"  kc-read-only="!client.access.manage">
                 <label class="col-md-2 control-label" for="protocol">{{:: 'client-template' | translate}}</label>
                 <div class="col-sm-6">
                     <div>
@@ -391,7 +391,7 @@
         </fieldset>
 
         <div class="form-group">
-            <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+            <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
                 <button kc-save  data-ng-disabled="!changed">{{:: 'save' | translate}}</button>
                 <button kc-reset data-ng-disabled="!changed">{{:: 'cancel' | translate}}</button>
             </div>

themes/src/main/resources/theme/base/admin/resources/partials/client-keys.html

@@ -7,7 +7,7 @@
 
     <kc-tabs-client></kc-tabs-client>
 
-    <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.manage">
+    <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.configure">
         <input type="text" readonly value="this is not a login form" style="display: none;">
         <input type="password" readonly value="this is not a login form" style="display: none;">
 
@@ -137,7 +137,7 @@
                               kc-select-action="click" readonly>{{keyInfo.certificate}}</textarea>
                 </div>
             </div>
-            <div class="form-group" data-ng-show="client.access.manage">
+            <div class="form-group" data-ng-show="client.access.configure">
                 <div class="pull-right">
                     <button class="btn btn-primary" type="submit" data-ng-click="generate()">Generate new keys</button>
                 </div>

themes/src/main/resources/theme/base/admin/resources/partials/client-registration-access-token.html

@@ -1,5 +1,5 @@
 <div>
-    <form class="form-horizontal" name="registrationAccessTokenForm" novalidate kc-read-only="!access.manageClients">
+    <form class="form-horizontal" name="registrationAccessTokenForm" novalidate kc-read-only="!client.access.configure">
         <div class="form-group">
             <label class="col-md-2 control-label" for="registrationAccessToken">{{:: 'registrationAccessToken' | translate}}</label>
             <div class="col-sm-6">
@@ -7,7 +7,7 @@
                     <div class="col-sm-6">
                         <input readonly kc-select-action="click" class="form-control" type="text" id="registrationAccessToken" name="registrationAccessToken" data-ng-model="client.registrationAccessToken">
                     </div>
-                    <div class="col-sm-6" data-ng-show="access.manageClients">
+                    <div class="col-sm-6" data-ng-show="client.access.configure">
                         <button type="submit" data-ng-click="regenerateRegistrationAccessToken()" class="btn btn-default">{{:: 'registrationAccessToken.regenerate' | translate}}</button>
                     </div>
                 </div>

themes/src/main/resources/theme/base/admin/resources/partials/client-revocation.html

@@ -7,7 +7,7 @@
 
     <kc-tabs-client></kc-tabs-client>
 
-    <form class="form-horizontal" name="credentialForm" novalidate kc-read-only="!client.access.manage">
+    <form class="form-horizontal" name="credentialForm" novalidate kc-read-only="!client.access.configure">
         <fieldset class="border-top">
             <div class="form-group">
                 <label class="col-md-2 control-label" for="notBefore">{{:: 'not-before' | translate}}</label>
@@ -18,7 +18,7 @@
             </div>
         </fieldset>
         <div class="form-group">
-            <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+            <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
                 <button type="submit" data-ng-click="clear()" class="btn btn-default">{{:: 'clear' | translate}}</button>
                 <button type="submit" data-ng-click="setNotBeforeNow()" class="btn btn-default">{{:: 'set-to-now' | translate}}</button>
                 <button type="submit" data-ng-click="pushRevocation()" class="btn btn-primary" tooltip-trigger="mouseover mouseout" tooltip="{{:: 'client-revoke.push.tooltip' | translate}}" tooltip-placement="bottom">{{:: 'push' | translate}}</button>

themes/src/main/resources/theme/base/admin/resources/partials/client-role-detail.html

@@ -10,7 +10,7 @@
 
     <kc-tabs-client-role></kc-tabs-client-role>
 
-    <form class="form-horizontal" name="realmForm" novalidate kc-read-only="!client.access.manage">
+    <form class="form-horizontal" name="realmForm" novalidate kc-read-only="!client.access.configure">
 
         <fieldset class="border-top">
             <div class="form-group">
@@ -47,13 +47,13 @@
         </fieldset>
 
         <div class="form-group">
-            <div class="col-md-10 col-md-offset-2" data-ng-show="create && client.access.manages">
+            <div class="col-md-10 col-md-offset-2" data-ng-show="create && client.access.configure">
                 <button kc-save>{{:: 'save' | translate}}</button>
                 <button kc-cancel data-ng-click="cancel()">{{:: 'cancel' | translate}}</button>
             </div>
         </div>
         <div class="form-group">
-            <div class="col-md-10 col-md-offset-2" data-ng-show="!create && client.access.manage">
+            <div class="col-md-10 col-md-offset-2" data-ng-show="!create && client.access.configure">
                 <button kc-save  data-ng-disabled="!changed">{{:: 'save' | translate}}</button>
                 <button kc-reset data-ng-disabled="!changed">{{:: 'cancel' | translate}}</button>
             </div>

themes/src/main/resources/theme/base/admin/resources/partials/client-role-list.html

@@ -10,7 +10,7 @@
     <table class="table table-striped table-bordered">
         <thead>
         <tr>
-            <th class="kc-table-actions" colspan="5" data-ng-show="client.access.manage">
+            <th class="kc-table-actions" colspan="5" data-ng-show="client.access.configure">
                 <div class="pull-right">
                     <a class="btn btn-default" href="#/create/role/{{realm.realm}}/clients/{{client.id}}">{{:: 'add-role' | translate}}</a>
                 </div>
@@ -29,7 +29,7 @@
             <td translate="{{role.composite}}"></td>
             <td>{{role.description}}</td>
             <td class="kc-action-cell" kc-open="/realms/{{realm.realm}}/clients/{{client.id}}/roles/{{role.id}}">{{:: 'edit' | translate}}</td>
-            <td class="kc-action-cell" data-ng-show="client.access.manage" data-ng-click="removeRole(role)">{{:: 'delete' | translate}}</td>
+            <td class="kc-action-cell" data-ng-show="client.access.configure" data-ng-click="removeRole(role)">{{:: 'delete' | translate}}</td>
         </tr>
         <tr data-ng-show="!roles || roles.length == 0">
             <td>{{:: 'no-client-roles-available' | translate}}</td>

themes/src/main/resources/theme/base/admin/resources/partials/client-saml-key-export.html

@@ -9,7 +9,7 @@
 
     <h1>{{:: 'export-saml-key' | translate}} {{client.clientId|capitalize}}</h1>
 
-    <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.manage">
+    <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.configure">
         <input type="text" readonly value="this is not a login form" style="display: none;">
         <input type="password" readonly value="this is not a login form" style="display: none;">
 
@@ -55,7 +55,7 @@
                 <kc-tooltip>{{:: 'store-password.tooltip' | translate}}</kc-tooltip>
            </div>
             <div class="form-group">
-                <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+                <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
                     <button class="btn btn-primary" type="submit" data-ng-click="download()">{{:: 'download' | translate}}</button>
                 </div>
             </div>

themes/src/main/resources/theme/base/admin/resources/partials/client-saml-key-import.html

@@ -9,7 +9,7 @@
 
     <h1>{{:: 'import-saml-key' | translate}} {{client.clientId|capitalize}}</h1>
 
-    <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.manage">
+    <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.configure">
         <input type="text" readonly value="this is not a login form" style="display: none;">
         <input type="password" readonly value="this is not a login form" style="display: none;">
 

themes/src/main/resources/theme/base/admin/resources/partials/client-saml-keys.html

@@ -7,7 +7,7 @@
 
     <kc-tabs-client></kc-tabs-client>
 
-    <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.manage">
+    <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.configure">
         <fieldset class="form-group col-sm-10" data-ng-show="client.attributes['saml.client.signature'] == 'true'">
             <legend uncollapsed><span class="text">{{:: 'signing-key' | translate}}</span>  <kc-tooltip>{{:: 'saml-signing-key' | translate}}</kc-tooltip></legend>
             <div class="form-group" data-ng-hide="!signingKeyInfo.privateKey">
@@ -27,7 +27,7 @@
                 </div>
             </div>
             <div class="form-group">
-                <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+                <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
                     <button class="btn btn-default" type="submit" data-ng-click="generateSigningKey()">{{:: 'generate-new-keys' | translate}}</button>
                     <button class="btn btn-default" type="submit" data-ng-click="importSigningKey()">{{:: 'import' | translate}}</button>
                     <button class="btn btn-default" type="submit" data-ng-hide="!signingKeyInfo.certificate" data-ng-click="exportSigningKey()">{{:: 'export' | translate}}</button>
@@ -53,7 +53,7 @@
                 </div>
             </div>
             <div class="form-group">
-                <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+                <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
                     <button class="btn btn-default" type="submit" data-ng-click="generateEncryptionKey()">{{:: 'generate-new-keys' | translate}}</button>
                     <button class="btn btn-default" type="submit" data-ng-click="importEncryptionKey()">{{:: 'import' | translate}}</button>
                     <button class="btn btn-default" type="submit" data-ng-hide="!encryptionKeyInfo.certificate" data-ng-click="exportEncryptionKey()">{{:: 'export' | translate}}</button>

themes/src/main/resources/theme/base/admin/resources/partials/client-scope-mappings.html

@@ -25,14 +25,14 @@
                     <label class="col-md-2 control-label" for="fullScopeAllowed">{{:: 'full-scope-allowed' | translate}}</label>
                     <kc-tooltip>{{:: 'full-scope-allowed.tooltip' | translate}}</kc-tooltip>
                     <div class="col-md-6">
-                        <input ng-model="client.fullScopeAllowed" ng-click="changeFlag()" name="fullScopeAllowed" id="fullScopeAllowed" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
+                        <input kc-read-only="!client.access.manage" ng-model="client.fullScopeAllowed" ng-click="changeFlag()" name="fullScopeAllowed" id="fullScopeAllowed" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
                     </div>
                 </div>
                 <div class="form-group" ng-show="client.useTemplateScope && template && template.fullScopeAllowed">
                     <label class="col-md-2 control-label" for="fullScopeAllowed">{{:: 'full-scope-allowed' | translate}}</label>
                     <kc-tooltip>Client template has full scope allowed, which means this client will have the full scope of all roles.</kc-tooltip>
                     <div class="col-md-1">
-                        <input ng-model="template.fullScopeAllowed" name="fullScopeAllowed" id="fullScopeAllowed" ng-disabled="true" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
+                        <input kc-read-only="!client.access.manage" ng-model="template.fullScopeAllowed" name="fullScopeAllowed" id="fullScopeAllowed" ng-disabled="true" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
                     </div>
                     <div class="col-md-1">
                         <i>inherited</i>

themes/src/main/resources/theme/base/admin/resources/partials/client-service-account-roles.html

@@ -10,7 +10,7 @@
     <h2><span>{{client.clientId}}</span> {{:: 'service-accounts' | translate}} </h2>
     <p class="subtitle"></p>
 
-    <form class="form-horizontal" name="realmForm" novalidate kc-read-only="!client.access.manage" data-ng-show="client.serviceAccountsEnabled">
+    <form class="form-horizontal" name="realmForm" novalidate kc-read-only="!client.access.configure" data-ng-show="client.serviceAccountsEnabled">
         <div class="form-group">
             <label class="col-md-2 control-label" class="control-label">{{:: 'realm-roles' | translate}}</label>
             <div class="col-md-10">
@@ -102,7 +102,7 @@
         </div>
     </form>
 
-    <form class="form-horizontal" name="realmForm" novalidate kc-read-only="!client.access.manage" data-ng-show="!client.serviceAccountsEnabled">
+    <form class="form-horizontal" name="realmForm" novalidate kc-read-only="!client.access.configure" data-ng-show="!client.serviceAccountsEnabled">
         <legend><span class="text" translate="service-account-is-not-enabled-for" translate-values="{client: client.clientId}"></span></legend>
     </form>
 

themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client.html

@@ -43,7 +43,7 @@
             <a href="#/realms/{{realm.realm}}/clients/{{client.id}}/service-account-roles">{{:: 'service-account-roles' | translate}}</a>
             <kc-tooltip>{{:: 'service-account-roles.tooltip' | translate}}</kc-tooltip>
         </li>
-        <li ng-class="{active: path[4] == 'permissions'}">
+        <li ng-class="{active: path[4] == 'permissions'}" data-ng-show="client.access.manage && access.manageAuthorization">
             <a href="#/realms/{{realm.realm}}/clients/{{client.id}}/permissions">{{:: 'authz-permissions' | translate}}</a>
             <kc-tooltip>{{:: 'manage-permissions-client.tooltip' | translate}}</kc-tooltip>
         </li>

themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-group.html

@@ -1,7 +1,7 @@
 <div data-ng-controller="GroupTabCtrl">
     <h1>
         {{group.name|capitalize}}
-        <i id="removeGroup" class="pficon pficon-delete clickable" data-ng-show="access.manageUsers" data-ng-click="removeGroup()"></i>
+        <i id="removeGroup" class="pficon pficon-delete clickable" data-ng-show="group.access.manage" data-ng-click="removeGroup()"></i>
     </h1>
 
     <ul class="nav nav-tabs">
@@ -9,7 +9,7 @@
         <li ng-class="{active: path[4] == 'attributes'}"><a href="#/realms/{{realm.realm}}/groups/{{group.id}}/attributes">{{:: 'attributes' | translate}}</a></li>
         <li ng-class="{active: path[4] == 'role-mappings'}" ><a href="#/realms/{{realm.realm}}/groups/{{group.id}}/role-mappings">{{:: 'role-mappings' | translate}}</a></li>
         <li ng-class="{active: path[4] == 'members'}"><a href="#/realms/{{realm.realm}}/groups/{{group.id}}/members">{{:: 'members' | translate}}</a></li>
-        <li ng-class="{active: path[4] == 'permissions'}">
+        <li ng-class="{active: path[4] == 'permissions'}" data-ng-show="group.access.manage && access.manageAuthorization">
             <a href="#/realms/{{realm.realm}}/groups/{{group.id}}/permissions">{{:: 'authz-permissions' | translate}}</a>
             <kc-tooltip>{{:: 'manage-permissions-group.tooltip' | translate}}</kc-tooltip>
         </li>

themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-role.html

@@ -5,7 +5,7 @@
 
     <ul class="nav nav-tabs" data-ng-show="!create">
         <li ng-class="{active: !path[4]}"><a href="#/realms/{{realm.realm}}/roles/{{role.id}}">{{:: 'details' | translate}}</a></li>
-        <li ng-class="{active: path[4] == 'permissions'}">
+        <li ng-class="{active: path[4] == 'permissions'}" data-ng-show="access.manageRealm && access.manageAuthorization">
             <a href="#/realms/{{realm.realm}}/roles/{{role.id}}/permissions">{{:: 'authz-permissions' | translate}}</a>
             <kc-tooltip>{{:: 'manage-permissions-role.tooltip' | translate}}</kc-tooltip>
         </li>

themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-users.html

@@ -3,7 +3,7 @@
 
     <ul class="nav nav-tabs">
         <li ng-class="{active: path[2] == 'users'}"><a href="#/realms/{{realm.realm}}/users">{{:: 'lookup' | translate}}</a></li>
-        <li ng-class="{active: path[2] == 'users-permissions'}"data-ng-show="access.viewRealm">
+        <li ng-class="{active: path[2] == 'users-permissions'}" data-ng-show="access.manageUsers && access.manageAuthorization">
             <a href="#/realms/{{realm.realm}}/users-permissions">{{:: 'authz-permissions' | translate}}</a>
             <kc-tooltip>{{:: 'manage-permissions-users.tooltip' | translate}}</kc-tooltip>
         </li>