keycloak.UsersPermissions
Explore with Pulumi AI
Allows you to manage fine-grained permissions for all users in a realm: https://www.keycloak.org/docs/latest/server_admin/#_users-permissions
This is part of a preview Keycloak feature: admin_fine_grained_authz
(see https://www.keycloak.org/docs/latest/server_admin/#_fine_grain_permissions).
This feature can be enabled with the Keycloak option -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
. See the
example docker-compose.yml
file for an example.
When enabling fine-grained permissions for users, Keycloak does several things automatically:
- Enable Authorization on built-in
realm-management
client (if not already enabled). - Create a resource representing the users permissions.
- Create scopes
view
,manage
,map-roles
,manage-group-membership
,impersonate
, anduser-impersonated
. - Create all scope based permission for the scopes and users resources.
This resource should only be created once per realm.
Example Usage
Coming soon!
Coming soon!
Coming soon!
Coming soon!
Coming soon!
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
# enable permissions for realm-management client
realmManagementPermission:
type: keycloak:openid:ClientPermissions
name: realm_management_permission
properties:
realmId: ${realm.id}
clientId: ${realmManagement.id}
enabled: true
# creating a user to use with the keycloak_openid_client_user_policy resource
test:
type: keycloak:User
properties:
realmId: ${realm.id}
username: test-user
email: test-user@fakedomain.com
firstName: Testy
lastName: Tester
testClientUserPolicy:
type: keycloak:openid:ClientUserPolicy
name: test
properties:
realmId: ${realm.id}
resourceServerId: ${realmManagement.id}
name: client_user_policy_test
users:
- ${test.id}
logic: POSITIVE
decisionStrategy: UNANIMOUS
options:
dependson:
- ${realmManagementPermission}
usersPermissions:
type: keycloak:UsersPermissions
name: users_permissions
properties:
realmId: ${realm.id}
viewScope:
policies:
- ${testClientUserPolicy.id}
description: description
decisionStrategy: UNANIMOUS
manageScope:
policies:
- ${testClientUserPolicy.id}
description: description
decisionStrategy: UNANIMOUS
mapRolesScope:
policies:
- ${testClientUserPolicy.id}
description: description
decisionStrategy: UNANIMOUS
manageGroupMembershipScope:
policies:
- ${testClientUserPolicy.id}
description: description
decisionStrategy: UNANIMOUS
impersonateScope:
policies:
- ${testClientUserPolicy.id}
description: description
decisionStrategy: UNANIMOUS
userImpersonatedScope:
policies:
- ${testClientUserPolicy.id}
description: description
decisionStrategy: UNANIMOUS
variables:
realmManagement:
fn::invoke:
Function: keycloak:openid:getClient
Arguments:
realmId: ${realm.id}
clientId: realm-management
Argument Reference
The following arguments are supported:
realm_id
- (Required) The realm in which to manage fine-grained user permissions.
Each of the scopes that can be managed are defined below:
view_scope
- (Optional) When specified, set the scope based view permission.manage_scope
- (Optional) When specified, set the scope based manage permission.map_roles_scope
- (Optional) When specified, set the scope based map_roles permission.manage_group_membership_scope
- (Optional) When specified, set the scope based manage_group_membership permission.impersonate_scope
- (Optional) When specified, set the scope based impersonate permission.user_impersonated_scope
- (Optional) When specified, set the scope based user_impersonated permission.
The configuration block for each of these scopes supports the following arguments:
policies
- (Optional) Assigned policies to the permission. Each element within this list should be a policy ID.description
- (Optional) Description of the permission.decision_strategy
- (Optional) Decision strategy of the permission.
Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
enabled
- When true, this indicates that fine-grained user permissions are enabled. This will always betrue
.authorization_resource_server_id
- Resource server id representing the realm management client on which these permissions are managed.
Create UsersPermissions Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new UsersPermissions(name: string, args: UsersPermissionsArgs, opts?: CustomResourceOptions);
@overload
def UsersPermissions(resource_name: str,
args: UsersPermissionsArgs,
opts: Optional[ResourceOptions] = None)
@overload
def UsersPermissions(resource_name: str,
opts: Optional[ResourceOptions] = None,
realm_id: Optional[str] = None,
impersonate_scope: Optional[UsersPermissionsImpersonateScopeArgs] = None,
manage_group_membership_scope: Optional[UsersPermissionsManageGroupMembershipScopeArgs] = None,
manage_scope: Optional[UsersPermissionsManageScopeArgs] = None,
map_roles_scope: Optional[UsersPermissionsMapRolesScopeArgs] = None,
user_impersonated_scope: Optional[UsersPermissionsUserImpersonatedScopeArgs] = None,
view_scope: Optional[UsersPermissionsViewScopeArgs] = None)
func NewUsersPermissions(ctx *Context, name string, args UsersPermissionsArgs, opts ...ResourceOption) (*UsersPermissions, error)
public UsersPermissions(string name, UsersPermissionsArgs args, CustomResourceOptions? opts = null)
public UsersPermissions(String name, UsersPermissionsArgs args)
public UsersPermissions(String name, UsersPermissionsArgs args, CustomResourceOptions options)
type: keycloak:UsersPermissions
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args UsersPermissionsArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args UsersPermissionsArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args UsersPermissionsArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args UsersPermissionsArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args UsersPermissionsArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var usersPermissionsResource = new Keycloak.UsersPermissions("usersPermissionsResource", new()
{
RealmId = "string",
ImpersonateScope = new Keycloak.Inputs.UsersPermissionsImpersonateScopeArgs
{
DecisionStrategy = "string",
Description = "string",
Policies = new[]
{
"string",
},
},
ManageGroupMembershipScope = new Keycloak.Inputs.UsersPermissionsManageGroupMembershipScopeArgs
{
DecisionStrategy = "string",
Description = "string",
Policies = new[]
{
"string",
},
},
ManageScope = new Keycloak.Inputs.UsersPermissionsManageScopeArgs
{
DecisionStrategy = "string",
Description = "string",
Policies = new[]
{
"string",
},
},
MapRolesScope = new Keycloak.Inputs.UsersPermissionsMapRolesScopeArgs
{
DecisionStrategy = "string",
Description = "string",
Policies = new[]
{
"string",
},
},
UserImpersonatedScope = new Keycloak.Inputs.UsersPermissionsUserImpersonatedScopeArgs
{
DecisionStrategy = "string",
Description = "string",
Policies = new[]
{
"string",
},
},
ViewScope = new Keycloak.Inputs.UsersPermissionsViewScopeArgs
{
DecisionStrategy = "string",
Description = "string",
Policies = new[]
{
"string",
},
},
});
example, err := keycloak.NewUsersPermissions(ctx, "usersPermissionsResource", &keycloak.UsersPermissionsArgs{
RealmId: pulumi.String("string"),
ImpersonateScope: &keycloak.UsersPermissionsImpersonateScopeArgs{
DecisionStrategy: pulumi.String("string"),
Description: pulumi.String("string"),
Policies: pulumi.StringArray{
pulumi.String("string"),
},
},
ManageGroupMembershipScope: &keycloak.UsersPermissionsManageGroupMembershipScopeArgs{
DecisionStrategy: pulumi.String("string"),
Description: pulumi.String("string"),
Policies: pulumi.StringArray{
pulumi.String("string"),
},
},
ManageScope: &keycloak.UsersPermissionsManageScopeArgs{
DecisionStrategy: pulumi.String("string"),
Description: pulumi.String("string"),
Policies: pulumi.StringArray{
pulumi.String("string"),
},
},
MapRolesScope: &keycloak.UsersPermissionsMapRolesScopeArgs{
DecisionStrategy: pulumi.String("string"),
Description: pulumi.String("string"),
Policies: pulumi.StringArray{
pulumi.String("string"),
},
},
UserImpersonatedScope: &keycloak.UsersPermissionsUserImpersonatedScopeArgs{
DecisionStrategy: pulumi.String("string"),
Description: pulumi.String("string"),
Policies: pulumi.StringArray{
pulumi.String("string"),
},
},
ViewScope: &keycloak.UsersPermissionsViewScopeArgs{
DecisionStrategy: pulumi.String("string"),
Description: pulumi.String("string"),
Policies: pulumi.StringArray{
pulumi.String("string"),
},
},
})
var usersPermissionsResource = new UsersPermissions("usersPermissionsResource", UsersPermissionsArgs.builder()
.realmId("string")
.impersonateScope(UsersPermissionsImpersonateScopeArgs.builder()
.decisionStrategy("string")
.description("string")
.policies("string")
.build())
.manageGroupMembershipScope(UsersPermissionsManageGroupMembershipScopeArgs.builder()
.decisionStrategy("string")
.description("string")
.policies("string")
.build())
.manageScope(UsersPermissionsManageScopeArgs.builder()
.decisionStrategy("string")
.description("string")
.policies("string")
.build())
.mapRolesScope(UsersPermissionsMapRolesScopeArgs.builder()
.decisionStrategy("string")
.description("string")
.policies("string")
.build())
.userImpersonatedScope(UsersPermissionsUserImpersonatedScopeArgs.builder()
.decisionStrategy("string")
.description("string")
.policies("string")
.build())
.viewScope(UsersPermissionsViewScopeArgs.builder()
.decisionStrategy("string")
.description("string")
.policies("string")
.build())
.build());
users_permissions_resource = keycloak.UsersPermissions("usersPermissionsResource",
realm_id="string",
impersonate_scope={
"decision_strategy": "string",
"description": "string",
"policies": ["string"],
},
manage_group_membership_scope={
"decision_strategy": "string",
"description": "string",
"policies": ["string"],
},
manage_scope={
"decision_strategy": "string",
"description": "string",
"policies": ["string"],
},
map_roles_scope={
"decision_strategy": "string",
"description": "string",
"policies": ["string"],
},
user_impersonated_scope={
"decision_strategy": "string",
"description": "string",
"policies": ["string"],
},
view_scope={
"decision_strategy": "string",
"description": "string",
"policies": ["string"],
})
const usersPermissionsResource = new keycloak.UsersPermissions("usersPermissionsResource", {
realmId: "string",
impersonateScope: {
decisionStrategy: "string",
description: "string",
policies: ["string"],
},
manageGroupMembershipScope: {
decisionStrategy: "string",
description: "string",
policies: ["string"],
},
manageScope: {
decisionStrategy: "string",
description: "string",
policies: ["string"],
},
mapRolesScope: {
decisionStrategy: "string",
description: "string",
policies: ["string"],
},
userImpersonatedScope: {
decisionStrategy: "string",
description: "string",
policies: ["string"],
},
viewScope: {
decisionStrategy: "string",
description: "string",
policies: ["string"],
},
});
type: keycloak:UsersPermissions
properties:
impersonateScope:
decisionStrategy: string
description: string
policies:
- string
manageGroupMembershipScope:
decisionStrategy: string
description: string
policies:
- string
manageScope:
decisionStrategy: string
description: string
policies:
- string
mapRolesScope:
decisionStrategy: string
description: string
policies:
- string
realmId: string
userImpersonatedScope:
decisionStrategy: string
description: string
policies:
- string
viewScope:
decisionStrategy: string
description: string
policies:
- string
UsersPermissions Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The UsersPermissions resource accepts the following input properties:
- Realm
Id string - Impersonate
Scope UsersPermissions Impersonate Scope - Manage
Group UsersMembership Scope Permissions Manage Group Membership Scope - Manage
Scope UsersPermissions Manage Scope - Map
Roles UsersScope Permissions Map Roles Scope - User
Impersonated UsersScope Permissions User Impersonated Scope - View
Scope UsersPermissions View Scope
- Realm
Id string - Impersonate
Scope UsersPermissions Impersonate Scope Args - Manage
Group UsersMembership Scope Permissions Manage Group Membership Scope Args - Manage
Scope UsersPermissions Manage Scope Args - Map
Roles UsersScope Permissions Map Roles Scope Args - User
Impersonated UsersScope Permissions User Impersonated Scope Args - View
Scope UsersPermissions View Scope Args
- realm
Id String - impersonate
Scope UsersPermissions Impersonate Scope - manage
Group UsersMembership Scope Permissions Manage Group Membership Scope - manage
Scope UsersPermissions Manage Scope - map
Roles UsersScope Permissions Map Roles Scope - user
Impersonated UsersScope Permissions User Impersonated Scope - view
Scope UsersPermissions View Scope
- realm
Id string - impersonate
Scope UsersPermissions Impersonate Scope - manage
Group UsersMembership Scope Permissions Manage Group Membership Scope - manage
Scope UsersPermissions Manage Scope - map
Roles UsersScope Permissions Map Roles Scope - user
Impersonated UsersScope Permissions User Impersonated Scope - view
Scope UsersPermissions View Scope
- realm_
id str - impersonate_
scope UsersPermissions Impersonate Scope Args - manage_
group_ Usersmembership_ scope Permissions Manage Group Membership Scope Args - manage_
scope UsersPermissions Manage Scope Args - map_
roles_ Usersscope Permissions Map Roles Scope Args - user_
impersonated_ Usersscope Permissions User Impersonated Scope Args - view_
scope UsersPermissions View Scope Args
Outputs
All input properties are implicitly available as output properties. Additionally, the UsersPermissions resource produces the following output properties:
Look up Existing UsersPermissions Resource
Get an existing UsersPermissions resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: UsersPermissionsState, opts?: CustomResourceOptions): UsersPermissions
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
authorization_resource_server_id: Optional[str] = None,
enabled: Optional[bool] = None,
impersonate_scope: Optional[UsersPermissionsImpersonateScopeArgs] = None,
manage_group_membership_scope: Optional[UsersPermissionsManageGroupMembershipScopeArgs] = None,
manage_scope: Optional[UsersPermissionsManageScopeArgs] = None,
map_roles_scope: Optional[UsersPermissionsMapRolesScopeArgs] = None,
realm_id: Optional[str] = None,
user_impersonated_scope: Optional[UsersPermissionsUserImpersonatedScopeArgs] = None,
view_scope: Optional[UsersPermissionsViewScopeArgs] = None) -> UsersPermissions
func GetUsersPermissions(ctx *Context, name string, id IDInput, state *UsersPermissionsState, opts ...ResourceOption) (*UsersPermissions, error)
public static UsersPermissions Get(string name, Input<string> id, UsersPermissionsState? state, CustomResourceOptions? opts = null)
public static UsersPermissions get(String name, Output<String> id, UsersPermissionsState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- string
- Resource server id representing the realm management client on which this permission is managed
- Enabled bool
- Impersonate
Scope UsersPermissions Impersonate Scope - Manage
Group UsersMembership Scope Permissions Manage Group Membership Scope - Manage
Scope UsersPermissions Manage Scope - Map
Roles UsersScope Permissions Map Roles Scope - Realm
Id string - User
Impersonated UsersScope Permissions User Impersonated Scope - View
Scope UsersPermissions View Scope
- string
- Resource server id representing the realm management client on which this permission is managed
- Enabled bool
- Impersonate
Scope UsersPermissions Impersonate Scope Args - Manage
Group UsersMembership Scope Permissions Manage Group Membership Scope Args - Manage
Scope UsersPermissions Manage Scope Args - Map
Roles UsersScope Permissions Map Roles Scope Args - Realm
Id string - User
Impersonated UsersScope Permissions User Impersonated Scope Args - View
Scope UsersPermissions View Scope Args
- String
- Resource server id representing the realm management client on which this permission is managed
- enabled Boolean
- impersonate
Scope UsersPermissions Impersonate Scope - manage
Group UsersMembership Scope Permissions Manage Group Membership Scope - manage
Scope UsersPermissions Manage Scope - map
Roles UsersScope Permissions Map Roles Scope - realm
Id String - user
Impersonated UsersScope Permissions User Impersonated Scope - view
Scope UsersPermissions View Scope
- string
- Resource server id representing the realm management client on which this permission is managed
- enabled boolean
- impersonate
Scope UsersPermissions Impersonate Scope - manage
Group UsersMembership Scope Permissions Manage Group Membership Scope - manage
Scope UsersPermissions Manage Scope - map
Roles UsersScope Permissions Map Roles Scope - realm
Id string - user
Impersonated UsersScope Permissions User Impersonated Scope - view
Scope UsersPermissions View Scope
- str
- Resource server id representing the realm management client on which this permission is managed
- enabled bool
- impersonate_
scope UsersPermissions Impersonate Scope Args - manage_
group_ Usersmembership_ scope Permissions Manage Group Membership Scope Args - manage_
scope UsersPermissions Manage Scope Args - map_
roles_ Usersscope Permissions Map Roles Scope Args - realm_
id str - user_
impersonated_ Usersscope Permissions User Impersonated Scope Args - view_
scope UsersPermissions View Scope Args
- String
- Resource server id representing the realm management client on which this permission is managed
- enabled Boolean
- impersonate
Scope Property Map - manage
Group Property MapMembership Scope - manage
Scope Property Map - map
Roles Property MapScope - realm
Id String - user
Impersonated Property MapScope - view
Scope Property Map
Supporting Types
UsersPermissionsImpersonateScope, UsersPermissionsImpersonateScopeArgs
- Decision
Strategy string - Description string
- Policies List<string>
- Decision
Strategy string - Description string
- Policies []string
- decision
Strategy String - description String
- policies List<String>
- decision
Strategy string - description string
- policies string[]
- decision_
strategy str - description str
- policies Sequence[str]
- decision
Strategy String - description String
- policies List<String>
UsersPermissionsManageGroupMembershipScope, UsersPermissionsManageGroupMembershipScopeArgs
- Decision
Strategy string - Description string
- Policies List<string>
- Decision
Strategy string - Description string
- Policies []string
- decision
Strategy String - description String
- policies List<String>
- decision
Strategy string - description string
- policies string[]
- decision_
strategy str - description str
- policies Sequence[str]
- decision
Strategy String - description String
- policies List<String>
UsersPermissionsManageScope, UsersPermissionsManageScopeArgs
- Decision
Strategy string - Description string
- Policies List<string>
- Decision
Strategy string - Description string
- Policies []string
- decision
Strategy String - description String
- policies List<String>
- decision
Strategy string - description string
- policies string[]
- decision_
strategy str - description str
- policies Sequence[str]
- decision
Strategy String - description String
- policies List<String>
UsersPermissionsMapRolesScope, UsersPermissionsMapRolesScopeArgs
- Decision
Strategy string - Description string
- Policies List<string>
- Decision
Strategy string - Description string
- Policies []string
- decision
Strategy String - description String
- policies List<String>
- decision
Strategy string - description string
- policies string[]
- decision_
strategy str - description str
- policies Sequence[str]
- decision
Strategy String - description String
- policies List<String>
UsersPermissionsUserImpersonatedScope, UsersPermissionsUserImpersonatedScopeArgs
- Decision
Strategy string - Description string
- Policies List<string>
- Decision
Strategy string - Description string
- Policies []string
- decision
Strategy String - description String
- policies List<String>
- decision
Strategy string - description string
- policies string[]
- decision_
strategy str - description str
- policies Sequence[str]
- decision
Strategy String - description String
- policies List<String>
UsersPermissionsViewScope, UsersPermissionsViewScopeArgs
- Decision
Strategy string - Description string
- Policies List<string>
- Decision
Strategy string - Description string
- Policies []string
- decision
Strategy String - description String
- policies List<String>
- decision
Strategy string - description string
- policies string[]
- decision_
strategy str - description str
- policies Sequence[str]
- decision
Strategy String - description String
- policies List<String>
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloak
Terraform Provider.