keycloak-scim

History

Clement Cureau 73378df52e [KEYCLOAK-11621] Allow user creation via group permissions (Admin API) Problem: Using fine-grained admin permissions on groups, it is not permitted to create new users within a group. Cause: The POST /{realm}/users API does not check permission for each group part of the new user representation Solution: - Change access logic for POST /{realm}/users to require MANAGE_MEMBERS and MANAGE_MEMBERSHIP permissions on each of the incoming groups Tests: Manual API testing performed: 1. admin user from master realm: - POST /{realm}/users without groups => HTTP 201 user created - POST /{realm}/users with groups => HTTP 201 user created 2. user with MANAGE_MEMBERS & MANAGE_MEMBERSHIP permissions on group1 - POST /{realm}/users without groups => HTTP 403 user NOT created - POST /{realm}/users with group1 => HTTP 201 user created - POST /{realm}/users with group1 & group2 => HTTP 403 user NOT created - POST /{realm}/users with group1 & wrong group path => HTTP 400 user NOT created 3. user with MANAGE_MEMBERS permission on group1 - POST /{realm}/users without groups => HTTP 403 user NOT created - POST /{realm}/users with group1 => HTTP 403 user NOT created - POST /{realm}/users with group1 & group2 => HTTP 403 user NOT created - POST /{realm}/users with group1 & wrong group path => HTTP 400 user NOT created	2020-09-10 12:26:55 -03:00
..
src	[KEYCLOAK-11621] Allow user creation via group permissions (Admin API)	2020-09-10 12:26:55 -03:00
pom.xml	Set version to 12.0.0-SNAPSHOT	2020-07-22 14:36:15 +02:00

Clement Cureau 73378df52e [KEYCLOAK-11621] Allow user creation via group permissions (Admin API)

Problem:
Using fine-grained admin permissions on groups, it is not permitted to create new users
within a group.

Cause:
The POST /{realm}/users API does not check permission for each group part of the new
user representation

Solution:
- Change access logic for POST /{realm}/users to require MANAGE_MEMBERS and
MANAGE_MEMBERSHIP permissions on each of the incoming groups

Tests:
Manual API testing performed:
  1. admin user from master realm:
    - POST /{realm}/users without groups                  => HTTP 201 user created
    - POST /{realm}/users with groups                     => HTTP 201 user created
  2. user with MANAGE_MEMBERS & MANAGE_MEMBERSHIP permissions on group1
    - POST /{realm}/users without groups                  => HTTP 403 user NOT created
    - POST /{realm}/users with group1                     => HTTP 201 user created
    - POST /{realm}/users with group1 & group2            => HTTP 403 user NOT created
    - POST /{realm}/users with group1 & wrong group path  => HTTP 400 user NOT created
  3. user with MANAGE_MEMBERS permission on group1
    - POST /{realm}/users without groups                  => HTTP 403 user NOT created
    - POST /{realm}/users with group1                     => HTTP 403 user NOT created
    - POST /{realm}/users with group1 & group2            => HTTP 403 user NOT created
    - POST /{realm}/users with group1 & wrong group path  => HTTP 400 user NOT created

2020-09-10 12:26:55 -03:00

src

[KEYCLOAK-11621] Allow user creation via group permissions (Admin API)

2020-09-10 12:26:55 -03:00

pom.xml

Set version to 12.0.0-SNAPSHOT

2020-07-22 14:36:15 +02:00