+
Skip to content

Access to user details for restricted admin fails after enabling organizationin realm #41418

New issue
New issue
Closed
#42072
Closed
Access to user details for restricted admin fails after enabling organizationin realm#41418
#42072
Assignees
pedroigor
Labels
area/organizationsbackport/26.2kind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.3.5release/26.4.0team/core-iamteam/rh-iam
@dbisbos

Description

@dbisbos
dbisbos
opened on Jul 25, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

admin/ui

Describe the bug

1 147 / 5 000
We have users with restricted administration rights on the realm.

In fact, these administrators have the following rights:
realm-management:query-clients, manage-users, query-users, view-realm, view-users, view-clients.

Since we enabled "organizations" on the realm, we have noticed that these administrators can no longer view a user's details.

In fact, a request to https://<keycloak_url>/auth/admin/realms//organizations/?first=0&max=1 is triggered at least when accessing a user's details, and the result is a 403 Forbidden error!

By disabling "organizations" on the realm, these administrators regain the ability to view a user's details.

I haven't found any new rights dedicated to accessing organizations (query-organizations or view-organizations).

The only solution is to assign the "Manage-realm" role, which we don't want for these restricted users.
For example, we don't want that federation menu can be accessed in read/write mode for those restricted users.

Furthermore, I notice that "organizations" are present in the left-hand menu, and accessing this item produces the same error: 403 Forbidden.

Can you associate organization access with the "manage-users" role or something else to fix this regression?

Thanks in advance.
Envoyer des commentaires
Résultats de traduction disponibles

Version

26.0.5

Regression

  • The issue is a regression

Expected behavior

Access to all users details for a restricted administrator who have manage-users role even organizations are enabled

Actual behavior

Forbidden access to organizations or users when trying to look at users details.

How to Reproduce?

  • Connect to Keycloak with a restricted user account with manage-users, query-users roles.
  • Access to a user details in your realm
  • All is OK
  • Activate organizations
  • Access to a user details in your realm
  • You should get 403 Forbidden error when keycloak tries accessing to organizations or click on organizations left menu.

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/organizationsbackport/26.2kind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.3.5release/26.4.0team/core-iamteam/rh-iam

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载