8000 [FGAP] Clients empty when using role based policy and roles inherited from groups · Issue #39850 · keycloak/keycloak · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
[FGAP] Clients empty when using role based policy and roles inherited from groups #39850
New issue
New issue
Closed
#39867
Closed
[FGAP] Clients empty when using role based policy and roles inherited from groups#39850
#39867
Assignees
pedroigor
Labels
area/admin/fine-grained-permissionskind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.3.0team/core-iam
@smfukaya

Description

@smfukaya
smfukaya
opened on May 20, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

admin/fine-grained-permissions

Describe the bug

I'm using Keycloak 26.2.4 and was trying to figure out how to make Fine-Grained Admin Permissions (FGAP) work for Clients.

I understood that the user must have (realm-management) query-clients role besides the condition set in the Permission Policy.

I enabled FGAP and created a role based policy ($${\color{NavyBlue}client-view-manager-myclient}$$) to allow specific users to view and manage a specific $${\color{ForestGreen}client}$$.

Policy Type Custom Role Group Roles Result
Role Name Associated Roles User member of Group Group assigned Roles User directly assigned Roles User inherited Roles
Role $${\color{NavyBlue}client-view-manager-myclient}$$
  • $${\color{Orange}(realm-management) \space query-clients}$$
  • $${\color{NavyBlue}client-view-manager-myclient}$$
 Client and Client Scopes menus are displayed. The user can view and manage $${\color{ForestGreen}my-client}$$
$${\color{NavyBlue}client-view-manager-myclient}$$
  • $${\color{CornflowerBlue}(realm-management) \space query-clients}$$
  • $${\color{NavyBlue}client-view-manager-myclient}$$
  • $${\color{CornflowerBlue}(realm-management) \space query-clients}$$
 Client menu is displayed. The user can view and manage $${\color{ForestGreen}my-client}$$
$${\color{NavyBlue}client-view-manager-myclient}$$
  • $${\color{CornflowerBlue}(realm-management) \space query-clients}$$
 $${\color{Mulberry}group-myclient-managers}$$
  • $${\color{Thistle}client-view-manager-myclient}$$
  • $${\color{CornflowerBlue}(realm-management) \space query-clients}$$
  • $${\color{Thistle}client-view-manager-myclient}$$
 $${\color{Red}Client \space menu \space is \space displayed. \space But \space clients \space list \space is \space empty.}$$
$${\color{NavyBlue}client-view-manager-myclient}$$ $${\color{Mulberry}group-myclient-managers}$$
  • $${\color{Thistle}(realm-management) \space query-clients}$$
  • $${\color{Thistle}client-view-manager-myclient}$$
  • $${\color{Thistle}(realm-management) \space query-clients}$$
  • $${\color{Thistle}client-view-manager-myclient}$$
 $${\color{Red}Client \space menu \space is \space displayed. \space But \space clients \space list \space is \space empty.}$$
Group $${\color{Mulberry}group-myclient-managers}$$ $${\color{Red}No \space menu \space is \space displayed \space (besides \space the \space Realm) \space and \space a \space message \space "You \space do \space not \space have \space permission. \space Please \space contact \space your \space administrator." \space is \space shown.}$$
$${\color{Mulberry}group-myclient-managers}$$
  • $${\color{Thistle}(realm-management) \space query-clients}$$
  • $${\color{Thistle}(realm-management) \space query-clients}$$
 Client menu is displayed. The user can view and manage $${\color{ForestGreen}my-client}$$
$${\color{Mulberry}group-myclient-managers}$$
  • $${\color{Orange}(realm-management) \space query-clients}$$
 Client menu is displayed. The user can view and manage $${\color{ForestGreen}my-client}$$

Based on the above tests and results, it seems that, with role based policy, that partial evaluation is not processing the specific role group-myclient-managers inherited (indirectly assigned by composite roles or groups, i.e., cases 3 and 4) making the Client menu available, but without listing the allowed client.

The error in the 5th case is expected as the (realm-management) query-clients role wasn't assigned to the user.

Version

26.2.4

Regression

  • The issue is a regression

Expected behavior

Users that have the specific role $${\color{Thistle}client-view-manager-myclient}$$ that satisfies the role based policy permission inherited by groups should be able not only to see the Clients menu, but also list (view scope) and manage (manage scope) the specific $${\color{ForestGreen}client}$$.

Actual behavior

Users that have the specific role $${\color{Thistle}client-view-manager-myclient}$$ that satisfies role based policy permission inherited by groups only see the Clients menu, but the specific $${\color{ForestGreen}client}$$ is not listed (no client is listed).

How to Reproduce?

Check 3rd and 4th case in the bug description table.

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/admin/fine-grained-permissionskind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.3.0team/core-iam

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0