Keycloak
44 строки · 2.0 Кб
1
2=== Master realm access control
3
4The `master` realm in {project_name} is a special realm and treated differently than other realms.
5Users in the {project_name} `master` realm can be granted permission to manage zero or more realms that are deployed on the {project_name} server.
6When a realm is created, {project_name} automatically creates various roles that grant fine-grain permissions to access that new realm.
7Access to The Admin Console and Admin REST endpoints can be controlled by mapping these roles to users in the `master` realm.
8It's possible to create multiple superusers, as well as users that can only manage specific realms.
9
10==== Global roles
11
12There are two realm-level roles in the `master` realm.
13These are:
14
15* admin
16* create-realm
17
18Users with the `admin` role are superusers and have full access to manage any realm on the server. Users with the `create-realm` role
19are allowed to create new realms. They will be granted full access to any new realm they create.
20
21==== Realm specific roles
22
23Admin users within the `master` realm can be granted management privileges to one or more other realms in the system.
24Each realm in {project_name} is represented by a client in the `master` realm.
25The name of the client is `<realm name>-realm`. These clients each have client-level roles defined which define varying
26level of access to manage an individual realm.
27
28The roles available are:
29
30* view-realm
31* view-users
32* view-clients
33* view-events
34* manage-realm
35* manage-users
36* create-client
37* manage-clients
38* manage-events
39* view-identity-providers
40* manage-identity-providers
41* impersonation
42
43Assign the roles you want to your users and they will only be able to use that specific part of the administration console.
44
45IMPORTANT: Admins with the `manage-users` role will only be able to assign admin roles to users that they themselves have. So, if an admin has the `manage-users` role but doesn't have the `manage-realm` role, they will not be able to assign this role.
46
47
48
49