Skip to content

Allow managing realm admin roles if the the realm-admin role is granted #43584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pedroigor merged 1 commit into from
Oct 23, 2025
Merged

Allow managing realm admin roles if the the realm-admin role is granted #43584

pedroigor merged 1 commit into from
Oct 23, 2025

Conversation

@pedroigor
Copy link
Contributor

@pedroigor pedroigor commented Oct 17, 2025
edited
Loading

Closes #43579
Closes #43578

@pedroigor pedroigor requested a review from a team as a code owner October 17, 2025 16:35
@pedroigor pedroigor force-pushed the issue-43579 branch 3 times, most recently from 50739d8 to 6acae17 Compare October 17, 2025 17:04
@pedroigor pedroigor requested a review from vramik October 17, 2025 18:49
vramik
vramik suggested changes Oct 20, 2025
View reviewed changes
Copy link
Contributor

@vramik vramik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @pedroigor, thanks for this PR.

I'm looking at the changes, and I'm a bit confused about the new direction regarding admin role mappings.

My understanding from our previous discussion was that we explicitly decided only server admins should be allowed to map admin roles, and we would not extend this privilege to delegated realm admins.

Based on that agreement, I created:

PR 41145 (#41145) to enforce this restriction.

PR 40271 (#40271) to document this behavior in the release notes.

I also closed (as not planned) a couple of other issues based on that decision.

This PR seems to reverse that decision and allow delegated admins to manage these roles. Could you share the reasoning behind this change?

I just want to make sure I'm on the same page and understand the new context, especially since we'll need to update the documentation if we proceed with this new approach. Also do you plan to backport this change? Thanks!

@pedroigor
Copy link
Contributor Author

pedroigor commented Oct 20, 2025

I'm looking at the changes, and I'm a bit confused about the new direction regarding admin role mappings.

I think we missed the difference between a realm-admin and a delegated realm admin. An admin explicitly granted with realm-admin is a realm admin, similar to a server/master admin, but within the scope of a specific realm. That is why I'm updating realm-admin role to also allow granting admin roles.

@vramik
Copy link
Contributor

vramik commented Oct 20, 2025

Ah, thanks for that clarification, @pedroigor. That distinction between realm-admin and "delegated admin" makes the reasoning for this PR much clearer.

My takeaway from our original discussion was more restrictive than we now want.

The current behavior in 26.3/26.4 is that only server admins can map these roles. This PR will change that behavior for 26.5 by "giving back" this permission to the realm-admin role.

We need to make sure we document this change in the 26.5 release notes, as it's a change from the behavior we documented before.

@pedroigor pedroigor force-pushed the issue-43579 branch 2 times, most recently from 56c9fa7 to 71c1218 Compare October 21, 2025 20:15
vramik
vramik reviewed Oct 22, 2025
View reviewed changes
Copy link
Contributor

@vramik vramik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @pedroigor, this is great.

  • I've suggested two small doc changes to improve clarity. Let me know what you think.
  • It also looks like some tests need updating.

Once the tests are addressed, this should be ready to merge.

@pedroigor pedroigor enabled auto-merge (rebase) October 22, 2025 10:43
@pedroigor pedroigor merged commit 2b78542 into keycloak:main Oct 23, 2025
79 checks passed
@SeekingOmega SeekingOmega mentioned this pull request Nov 10, 2025
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ahus1 ahus1 ahus1 approved these changes

+1 more reviewer

@vramik vramik vramik approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

3 participants

@pedroigor @vramik @ahus1