Hello, I’m working with Keycloak and I need to assign permissions directly to roles using the Keycloak Admin API. I’m aware that roles can be created and assigned to users, but I’m unsure of the exact process to assign specific permissions to these roles through the API.
Can anyone provide a detailed approach or example of how to achieve this?
Any help or examples would be greatly appreciated! Thank you.
A role dies not have permissions, it‘s just the role. A role can have attributes, but these are completely not used by default in Keycloak. Nobody knows why the attributes are there.
Oh okay. Is there any good workaround solution for this. Thanks for your answer.
There’s an example within Keycloak itself where there are permissions defined as roles. For instance the client roles view-users, query-users, manage-users manage access to the users resource. There are other sets of roles for permissions to other resources in the API like clients.
I haven’t found this strategy useful when working with clients. There are often too many resources and the resource-based access is too coarse.
Fine-grained permissions are app specific and I find that customers often have multiple apps. Consider a mobile app that has a “Submit” button on a form that should be disabled whereas a desktop app has a richer wizard with Next, Previous, and Finalize buttons should be disabled.
As a result, I’ve only managed fine-grained permissions with app-specific code that is linked to Keycloak by Role. “Group” could be an alternative though I haven’t done that.