Support for granular permissions in Account Console #10450
Replies: 3 comments
-
|
I agree with having this capability. It should really be possible to at least control view/manage of each section of the account console. One issue here is that perhaps the view-* roles for account are not granular enough. Right now we have: View roles:
Not sure what the difference between consent and applications are here, as view or manage applications really should also mean consents, as applications are just apps that have been granted access to your account. Manage roles:
However, the admin console has the following capabilities:
As a side-note also figured out that the "new" account console doesn't seem to let me see events (login, password updates, etc.) associated with my account. As a first pass we could at least support the roles that are there when it makes sense, but it may be this is a little bit of a bigger thing and requires introducing some more roles, and perhaps even deprecating/changing some other roles. |
Beta Was this translation helpful? Give feedback.
-
|
I agree that view-consent has no meaning due to view-applications. manage-consent is usefully for being able to revoke access. Generally, I believe that the better approach is Keycloak team redesign roles based on the capabilities mentioned. However, I believe that current account console behavior is unacceptable and at least changes mentioned on #8734 must be part of Keycloak 18. So, it is matter of your priorities. PS. For us, view groups is also missing from account console in order user being able to know its groups and make needed actions. We have ongoing PR for this. |
Beta Was this translation helpful? Give feedback.
-
|
I have opened a PR for Support for granular permissions in Account Console. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Although Keycloak has 8 account roles like manage-account, view-profile , if a user have not the role manage-account he can not view or manage anything in account console. Account console does not give the possibility to only view user credentials, application and manage consents. We do not want users being able to change their base profile information (email, first name and last name). This information is usually based on external Identity Provider. #8734 exists for this mandatory functionality for our use case.
After discussion, I succeed to find a problematic of course solution for giving User the possibility only to view his basic profile and not being able to manage his accounts. I have created a composite role containing all account roles in account-console client. With it, if a user has the role view-profile and not the role manage-account, he is able to view his account and when he tries to update his profile Keycloak informs him that this action is forbidden. Moreover, although role manage-account-link exists, user without manage-account role cannot perform account linking.
I believe that solution for #8734 can be based on existing account roles and the possibility for adding composite role to account console. We only need a PR that will consists sending needed account roles in account console ui and make fields editable, show buttons based on these roles. Do you want also not to show account console pages based on roles?
Do you want me to make a PR for #8734 and discuss it further?
Beta Was this translation helpful? Give feedback.
All reactions