Support Fine-Grained Permissions v2 (Keycloak 26.2)

[sventorben]

Description

Keycloak 26.2 introduced Fine-Grained Permissions v2, which allows scoped and secure delegation of administrative rights across various Keycloak entities such as users, groups, roles, and clients. This improvement enables more secure and granular administrative delegation compared to the legacy realm admin role.

Currently, the Keycloak Terraform Provider does not support managing Fine-Grained Permissions v2. Supporting this feature would enable full infrastructure-as-code (IaC) workflows around admin delegation and access management.

Relevant documentation:

• https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grained_permissions

Discussion

No response

Motivation

• Enables secure delegation of administrative tasks using Terraform.
• Aligns Terraform-based Keycloak management with the latest Keycloak features.
• Reduces reliance on the full realm admin role for delegated use cases.
• Improves compliance and security through scoped permissions and policies.

Details

Requested Enhancements

Realm-Level Support

• Support the adminPermissionsEnabled flag for realms.

Top-Level Permission Resources

Add new Terraform resources for managing entity-specific admin permissions:

• keycloak_user_permissions
• keycloak_group_permissions
• keycloak_client_permissions
• keycloak_role_permissions

Each should allow configuring which scopes (e.g. view-users, manage-clients) are protected and who is allowed to use them.

Policy Resources

Add support for managing policy types used in permissions:

• keycloak_aggregated_policy
• keycloak_client_policy
• keycloak_client_scope_policy
• keycloak_group_policy
• keycloak_regex_policy
• keycloak_role_policy
• keycloak_time_policy
• keycloak_user_policy

Permission–Policy Links

Add a resource like keycloak_permission_policy_link to associate policies with specific permission resources.

Example Terraform Configuration

resource "keycloak_realm" "myrealm" {
  realm                     = "myrealm"
  enabled                   = true
  admin_permissions_enabled = true
}

resource "keycloak_role" "user_admin" {
  realm_id = keycloak_realm.myrealm.id
  name     = "user-admin"
}

resource "keycloak_user_permissions" "manage_users_permission" {
  realm_id = keycloak_realm.myrealm.id
  scope    = "manage-users"
  resource = "users"
}

resource "keycloak_role_policy" "user_admin_policy" {
  realm_id = keycloak_realm.myrealm.id
  name     = "user-admin-role-policy"
  roles    = [keycloak_role.user_admin.id]
}

resource "keycloak_permission_policy_link" "link_user_admin_to_permission" {
  permission_id = keycloak_user_permissions.manage_users_permission.id
  policy_id     = keycloak_role_policy.user_admin_policy.id
}

[j-q-in-berlin]

Sounds good! Any news about this?

[KyriosGN0]

i will try to implmeant this feature