KEYCLOAK-5152

services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java

@@ -136,10 +136,13 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
             if (root.admin().hasRole(role)) return true;
 
             ClientModel adminClient = root.getRealmManagementClient();
+            // is this an admin role in 'realm-management' client of the realm we are managing?
             if (adminClient.equals(role.getContainer())) {
                 // if this is realm admin role, then check to see if admin has similar permissions
                 // we do this so that the authz service is invoked
-                if (role.getName().equals(AdminRoles.MANAGE_CLIENTS)) {
+                if (role.getName().equals(AdminRoles.MANAGE_CLIENTS)
+                        || role.getName().equals(AdminRoles.CREATE_CLIENT)
+                        ) {
                     if (!root.clients().canManage()) {
                         return adminConflictMessage(role);
                     } else {
@@ -151,6 +154,9 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
                     } else {
                         return true;
                     }
+
+                } else if (role.getName().equals(AdminRoles.QUERY_REALMS)) {
+                    return true;
                 } else if (role.getName().equals(AdminRoles.QUERY_CLIENTS)) {
                     return true;
                 } else if (role.getName().equals(AdminRoles.QUERY_USERS)) {

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java

@@ -658,13 +658,12 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
         adminClient.realm(TEST).roles().create(composite);
         composite = adminClient.realm(TEST).roles().get("composite").toRepresentation();
 
-        RoleRepresentation compositePart = new RoleRepresentation();
+        ClientRepresentation client = adminClient.realm(TEST).clients().findByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID).get(0);
-        compositePart.setName("composite-part");
+        RoleRepresentation createClient = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.CREATE_CLIENT).toRepresentation();
-        adminClient.realm(TEST).roles().create(compositePart);
+        RoleRepresentation queryRealms = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.QUERY_REALMS).toRepresentation();
-        compositePart = adminClient.realm(TEST).roles().get("composite-part").toRepresentation();
-
         List<RoleRepresentation> composites = new LinkedList<>();
-        composites.add(compositePart);
+        composites.add(createClient);
+        composites.add(queryRealms);
         adminClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
     }
 
@@ -693,13 +692,11 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
         realmClient.realm(TEST).roles().create(composite);
         composite = adminClient.realm(TEST).roles().get("composite").toRepresentation();
 
-        RoleRepresentation compositePart = new RoleRepresentation();
+        ClientRepresentation client = adminClient.realm(TEST).clients().findByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID).get(0);
-        compositePart.setName("composite-part");
+        RoleRepresentation viewUsers = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.CREATE_CLIENT).toRepresentation();
-        realmClient.realm(TEST).roles().create(compositePart);
-        compositePart = adminClient.realm(TEST).roles().get("composite-part").toRepresentation();
 
         List<RoleRepresentation> composites = new LinkedList<>();
-        composites.add(compositePart);
+        composites.add(viewUsers);
         realmClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
     }
     // testRestEvaluationMasterRealm