Using the “user profile” section, I inserted a list of attributes. Since I have a corporate LDAP integration (in read-only mode), is it possible to make these attributes read-only in the GUI? Currently, it is possible to modify them, but when I try to save, I get an error message. I would like them to be disabled when the user is federated with LDAP. Can I do this? Do I need to create a custom provider? thanks
In Realm settings > User Profile > Edit > Permissions you can revoke the editability for users and admins. Or do you mean something else?
yes, but I would like some fields to be read-only only if the user is federated (ldap)
Hey @MarcelloT yes you can.
That has change, before there were user attribute tab and you could see mapped attributes. Now that is removed, and you have to define them in → Realm Settings → User profile.
Then add attribute you want to see when user is mapped, for example some of mine:
then after successful login, when I open user details I can see mapped value.
Yes, but my problem is different. I want an attribute to be read-only, only if the user is federated.
That sounds like something what Keycloak should handle by default?
I have my User Federation and they are READ_ONLY without configuring anything from my side…
when I try I get:
Could not create user: user is read only for this update
I want the non-editable fields to be locked and read-only when opening the user details. Currently, you can edit them, but after saving, an error message appears (in the case of LDAP, read-only). My question is: is this possible? Or do I need to create an extension?
Yes, I mean at least in my case using User Federation.
But you have to uncheck this in user profile settings for all fields that should not be “editable”
then when I open user details I cannot edit the field:
Yes, but I’d like the admin to be able to edit these fields for local users (not LDAP). If I uncheck the box, the admin won’t be able to edit them for any user.
I’m not aware of such a config option in Keycloak by default.
But perhaps, this will help you:
If the declared attribute is a “pure Keycloak attribute” - means, it is not mapped between LDAP and Keycloak - then there’s no option ootb.
If the attribute is declared and also a mapped attribute between LDAP and Keycloak, and the LDAP provider is read-only, the attribute appears as a read-only attribute for the admin for LDAP (federated) users and writable for regulare/local users.
I’m not clear on this scenario: “The attribute appears as a read-only attribute for the admin for LDAP (federated) users and writable for regular/local users.” In any case, is it possible to change the GUI’s behavior by creating a provider/extension?
The admin ui ist mostly not controllable through an extension, only on very few pages. If you really want to develop an extension for your requirements, you will most likely end up with implementing also a custom admin console. It’s not just a theme, it’s React development…