Keycloak permissions

When using Keycloak, it is sometimes necessary to set permissions for users in the BPC in Keycloak.

Only the permissions for role-based authorization (RBA) are specified here. It is also possible to implement this via Fine grain admin permissions.

Only one of the listed roles must be assigned at any one time. In the case of exceptions where several roles are required, these are grouped in brackets.

As an alternative to the roles mentioned, the roles admin or realm-admin However, these are very powerful and should only be assigned deliberately.

General BPC functions

Function Roles Description

Function	Roles	Description
Saving the user language in the Keycloak profile	`manage-account`	Is required to save the language selected by the user in the BPC as the language in the user’s profile in the Keycloak. This role is often already assigned to each user via `default-roles` when realms are created. If `Localization` is activated on the Keycloak, all Keycloak masks, such as the login, are translated accordingly.
List organizations	`manage-users`, `view-users`, `query-groups`	Reads out the list of available organizations. This is used to offer a selection in the interface when assigning to organizations. If the authorization is missing, the user must enter the organizations themselves.
List roles	`manage-realm`, `view-realm`, `query-clients`, `query-users`, `query-groups`, `query-realms`, `manage-clients`, `view-clients`	Reads out the list of available roles. This is used to offer a selection in the interface when assigning roles. If the authorization is missing, the user must enter the roles themselves. Attention: Depending on whether the roles are realm or client roles, several roles may be required.
List rights	-	Not supported.

Saving the user language in the Keycloak profile

manage-account

Is required to save the language selected by the user in the BPC as the language in the user’s profile in the Keycloak. This role is often already assigned to each user via default-roles when realms are created. If Localization is activated on the Keycloak, all Keycloak masks, such as the login, are translated accordingly.

List organizations

manage-users, view-users, query-groups

Reads out the list of available organizations. This is used to offer a selection in the interface when assigning to organizations. If the authorization is missing, the user must enter the organizations themselves.

List roles

manage-realm, view-realm, query-clients, query-users, query-groups, query-realms, manage-clients, view-clients

Reads out the list of available roles. This is used to offer a selection in the interface when assigning roles. If the authorization is missing, the user must enter the roles themselves. Attention: Depending on whether the roles are realm or client roles, several roles may be required.

List rights

Not supported.

Integrated user administration

The following keycloak authorizations are required for the individual functions of the integrated user administration necessary.

Function Roles

Function	Roles
List users	`manage-users`, `query-users`
Display user authorizations	`manage-users`(`query-users` AND `view-users`)
Add user	`manage-users`
[edit_user]]Add user	`manage-users`
[set_user_password]]Set password	`manage-users`
[impersonate_user]]Imitate / impersonate user	(`manage-users` AND `impersonation`)

List users

manage-users, query-users

Display user authorizations

manage-users(query-users AND view-users)

Add user

manage-users

[edit_user]]Add user

manage-users

[set_user_password]]Set password

manage-users

[impersonate_user]]Imitate / impersonate user

(manage-users AND impersonation)

Edit user authorizations is currently not supported.

Keywords: