Fine Grain Permissions - Admin (Impersonation)

612 views
Skip to first unread message

Harry M

unread,
Jun 28, 2021, 4:44:56 PM6/28/21
to Keycloak User

Experimenting with admins to have 'impersonation' only on a select 'Client' -- using the following as a template - https://www.keycloak.org/docs/latest/server_admin/#_fine_grain_permissions

Does Keycloak offers ability to restrict realm admins to only have 'impersonation' on a particular 'Client'? So far have not been successful with various permutations from the above linked template.

Thanks.

Pedro Igor Craveiro e Silva

unread,
Jun 28, 2021, 5:03:21 PM6/28/21
to Harry M, Keycloak User
Hi,

Do you mean restrict impersonation only for tokens issued by a particular client?

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/f2df7943-5f89-46a9-a468-c2bb89c92ac5n%40googlegroups.com.

Harry M

unread,
Jun 29, 2021, 12:13:17 AM6/29/21
to Keycloak User
Yes -- only for a particular client.

Description:

Current: Admin has 'impersonation' role under 'realm management: Admin can access all Clients in the Ream as any users 

Potential Goals via Fine Grain Permissions (FGP): Admin has 'impersonation' role under 'realm management: Admin can only access particular Client FOO as any users

Is the above doable under FGP? 

Pedro Igor Craveiro e Silva

unread,
Jun 29, 2021, 7:36:20 AM6/29/21
to Harry M, Keycloak User
On Tue, Jun 29, 2021 at 1:13 AM Harry M <har...@gmail.com> wrote:
Yes -- only for a particular client.

Description:

Current: Admin has 'impersonation' role under 'realm management: Admin can access all Clients in the Ream as any users 

Potential Goals via Fine Grain Permissions (FGP): Admin has 'impersonation' role under 'realm management: Admin can only access particular Client FOO as any users

Is the above doable under FGP? 

Liked FGP it saves some typing :)

I did not try it yet, but you should be able to associate policies with the `impersonate` and `user-impersonate` scopes to only allow a set of one or more clients to be granted with these scopes.
 

On Monday, June 28, 2021 at 2:03:21 PM UTC-7 pigor.c...@gmail.com wrote:
Hi,

Do you mean restrict impersonation only for tokens issued by a particular client?

On Mon, Jun 28, 2021 at 5:44 PM Harry M <har...@gmail.com> wrote:

Experimenting with admins to have 'impersonation' only on a select 'Client' -- using the following as a template - https://www.keycloak.org/docs/latest/server_admin/#_fine_grain_permissions

Does Keycloak offers ability to restrict realm admins to only have 'impersonation' on a particular 'Client'? So far have not been successful with various permutations from the above linked template.

Thanks.

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/f2df7943-5f89-46a9-a468-c2bb89c92ac5n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.

Urr Nowen

unread,
Jun 30, 2021, 2:34:19 AM6/30/21
to Keycloak User
Hi Pedro:

Thank you for all your guidance -- I've been following your tips for: https://lists.jboss.org/pipermail/keycloak-user/2018-April/013576.html

In User:Permission: Under 'scope-name: impersonate'
  Applied 'Client Policy' for Client FOO

Is above the pathway to restricting 'impersonation' to Client FOO?

How do we assign users to have above permission?

Thank you.
  

Pedro Igor Craveiro e Silva

unread,
Jun 30, 2021, 10:38:35 AM6/30/21
to Urr Nowen, Keycloak User
On Wed, Jun 30, 2021 at 3:34 AM Urr Nowen <urn...@gmail.com> wrote:
Hi Pedro:

Thank you for all your guidance -- I've been following your tips for: https://lists.jboss.org/pipermail/keycloak-user/2018-April/013576.html

In User:Permission: Under 'scope-name: impersonate'
  Applied 'Client Policy' for Client FOO 

Is above the pathway to restricting 'impersonation' to Client FOO?

Yes, the client policy is going to match the `azp` (issued for) claim from the token with the client you defined in the policy.
 

How do we assign users to have above permission?

There is no way to explicitly set to a user but use the `user-impersonated` scope to define policies that can evaluate taking the user being impersonated into account. Differently than `impersonate` it makes the user being impersonated available to policies.

For instance, the following JavaScript example is going to only allow impersonation for a given user:

```
var context = $evaluation.context;
var identity = context.identity;
var userAttributes  = identity.attributes;

if (userAttributes.containsValue('username', 'alice')) {
    $evaluation.grant();
}
```
 

Ulli Nowen

unread,
Jun 30, 2021, 12:31:12 PM6/30/21
to Keycloak User
Thank you Pedro!

I'm guessing it is not possible to offer selected admins users, to impersonate all users, in only Client FOO?

Out of the box -- select admins, with impersonation role,  can impersonate all users in all Clients (for a realm). We wanted to restrict the select admins to only impersonate all users in only 1 Client (or maybe 2 Clients).

Ulli Nowen

unread,
Jul 2, 2021, 3:29:56 PM7/2/21
to Keycloak User
Gentle poke -- if the below is possible via Fine Grain Permissions in v13.0.1:
- Out of the box -- select admins, with impersonation role,  can impersonate all users in all Clients (for a realm). We wanted to restrict the select admins to only impersonate all users in only 1 Client (for a realm).

Is the above possible?

Thank you.

Reply all
Reply to author
Forward
0 new messages