User role mapping tab: Show effective client roles for a user

[jbman]

Description

In the old admin console it is possible to view effective client roles of a user.

The new admin console (version 19.0.2) has a filter flag "Hide inherited roles", but when inactive it only only shows effective realm roles and doesn't include any client roles which are inherited (child of a composite role which is assigned).

Existing role mapping tab:

Discussion

No response

Motivation

For an admin it is important to see assigned and effective roles, to ensure that user has suitable roles assigned. If effective roles are missing in this view, the complete set of user privileges is hidden to the admin. It can only be derived by checking for each client role in the list if contains some roles and which ones.

Note: In the old admin console it was also not optimal, that the client needed to be selected first. This also doesn't display child roles of other clients as effective roles.

Details

Proposal for the list of role mappings

• Switch the flag to "Show inherited roles". Make it deselected by default.
• When "Show inherited roles" is active, inherited roles of client roles are shown (not only inherited roles of realm roles). Note: This requires multiple API calls or a new Admin API endpoint.
• Optional: Add a column with information if it is a composite roles

Mocked example screen:

Poor alternative (to get at least on par with old admin console)

A specific client role can be selected and an action "Open inherited roles" navigates to the view which shows all roles added as child. In addition it must be shown if a role is composite role.

Example: In the screen above role "a" contains child role "b". Role "a" could be selected and "Open inherited roles" is clicked. This would navigate to this screen:

[ssilvert]

I made this high impact because it is missing functionality that was there in the old console.

[edewit]

@ssilvert but it's not it's just harder to get to and that's with good reason getting all this information is a heavy query that's why initially the inherited roles are hidden. It's also why on the old console you had to select the client.

[jbman]

@edewit I think it's ok to have the inherited roles initially hidden. It's just important to provide at least a way to drill down to the effective roles. At least for a specific client as it is possible with the old admin console. From supporting multiple Keycloak instances, realms and their admins, I know that this is an essential feature.

As stated, a better solution shows the complete set of effective roles in one list . This probably requires a corresponding keycloak issue to create or enhance an Admin API endpoint. These roles could all end up in a token, so the admin should have a chance to review the complete set.

[ssilvert]

Changing this to medium impact because there is a workaround.

[USAF-cbentkowski]

This is affecting us as well. When troubleshooting user permission issues, it is invaluable to view the user to see what roles they effectively have based on roles directly assigned to them, assigned to groups they belong to, or nested groups they belong to. We were testing an upgrade from 18.x to 19.0.2 and being unable to directly see effective roles at a user level is causing us to not move forward with this upgrade.

[ssilvert]

OK. Moving back to high impact. We will take a closer look sooner.

[USAF-cbentkowski]

I noticed a 20.0.0 tag has been cut, but no changes to the UserRoleMapping.tsx. Are there any updates when client roles may be added back in?

[edewit]

@USAF-cbentkowski this issue hasn't been solved and I must admit I'm not really sure what the issue is IMO you can see what the effective roles even more clear then in the old console, because the clients are listed directly and you don't have to select a specific client before.

in the old console I have to select "broker" to see the read-token role:

while in the new console it appears right away:

[USAF-cbentkowski]

Unfortunately, I can't post a screen shot of what I see, but on Keycloak 19.0.2-r6 we do not see any client roles on a user. Our users are granted client roles based on groups they are in or the groups that are members of other groups they are in. I will test assigning a client role directly to a user to see if that shows up, but it still doesn't change the fact that the only roles we see on a user are realm roles.

[jbman]

@edewit indeed it's an improvement that a client doesn't need to be selected upfront. However an admin needs a view which shows the effective roles of a user. The only inherited assignment which is shown are realm roles and their sub-roles. An admin also needs roles inherited by a group assignment or a client role assignment. Those aren't shown currently.

[USAF-cbentkowski]

@edewit I did a test this morning in our test environment and directly assigned a client role to a user and it does show up on the user role mapping without having to select a client, which is nice. However, the other roles this user has that are assigned to groups and inherited by the user are not showing. This is the problem since security best practices are to assign privileges to groups and not directly to users.

Currently, to check a user's effective client role, we have to:

1. Open the user and view his/her groups
2. Open the groups and search for the group
3. Edit the group and go to role mappings to view assigned roles

This can be cumbersome when working with a user with multiple groups and unsure what group might be granting a role.

[edewit]

@USAF-cbentkowski right I see that now, I think I have a fix for it now

[USAF-cbentkowski]

@USAF-cbentkowski right I see that now, I think I have a fix for it now

@edewit That would be amazing. I really appreciate you looking at this. While I can follow what is happening in the UI code, I don't know enough about the codebase or Typescript to suggest changes on my own.