JBoss.orgCommunity Documentation

Chapter 6. Master Admin Access Control

6.1. Global Roles
6.2. Realm Specific Roles

You can create and manage multiple realms by logging into the master Keycloak admin console at /{keycloak-root}/admin/index.html

Users in the Keycloak master realm can be granted permission to manage zero or more realms that are deployed on the Keycloak server. When a realm is created, Keycloak automatically creates various roles that grant fine-grain permissions to access that new realm. Access to The Admin Console and REST endpoints can be controlled by mapping these roles to users in the master realm. It's possible to create multiple super users as well as users that have only access to certain operations in specific realms.

There are two realm roles in the master realm. These are:

  • admin - This is the super-user role and grants permissions to all operations on all realms
  • create-realm - This grants the user permission to create new realms. A user that creates a realm is granted all permissions to the newly created realm.

To add these roles to a user select the master realm, then click on Users. Find the user you want to grant permissions to, open the user and click on Role Mappings. Under Realm Roles assign any of the above roles to the user by selecting it and clicking on the right-arrow.

Each realm in Keycloak is represented by an application in the master realm. The name of the application is <realm name>-realm. This allows assigning access to users for individual realms. The roles available are:

  • view-realm - View the realm configuration
  • view-users - View users (including details for specific user) in the realm
  • view-applications - View applications in the realm
  • view-clients - View clients in the realm
  • view-events - View events in the realm
  • manage-realm - Modify the realm configuration (and delete the realm)
  • manage-users - Create, modify and delete users in the realm
  • manage-applications - Create, modify and delete applications in the realm
  • manage-clients - Create, modify and delete clients in the realm
  • manage-events - Enable/disable events, clear logged events and manage event listeners

Manage roles includes permissions to view (for example a user with manage-realm role can also view the realm configuration).

To add these roles to a user select the master realm, then click on Users. Find the user you want to grant permissions to, open the user and click on Role Mappings. Under Application Roles select the application that represents the realm you're adding permissions to (<realm name>-realm), then assign any of the above roles to the user by selecting it and clicking on the right-arrow.