Create Keycloak role to manage password across realms

Question

We are setting up Keycloak to provide authentication into our applications for our customers. Each customer will be assigned their own realm. Customer admins will be given permission within their realm to perform operations.

A small group within our support group will have super-admin privileges across all realms. However, we'd like to enable a broader group of our support reps to manage user password resets across all customer realms.

Is it possible to create a role in Keycloak that has limited permissions (e.g., less than admin) across all realms?

Answer 1

You can do by assigning all of realm's manage-users for customer_admin user at master realm.

Step 0

launching latest Keycloak by docker

docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:23.0.5 start-dev

Step 1

Create two realms (or more)

Step 2

Add User for each realms

Step 3

Add customer_admin user at master

Step 4

Click down arrow to select 'Filter by clients` menu

Will be pop up Assign roles to customer_admin dialog Then select all of realms's manage-users role.

Reset password by REST API

In here Keycloak Rest Api Reset password via Postman more detail information.