"User Profile" attributes not available for Users Attribute search and Attribute selection, if no view or manage realm realm-management role added

[mpalavrov]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

account/ui

Describe the bug

Realm Admin users, having "realm-management" role/permissions only to "manage-users" and "query-users", cannot make Search using the Attribute or to add attribute for example for Locale.
Having "view-realm" or of course "manage-realm" is fixing it, but then the Realm Admin users are also able to see the Realm Settings, which might be not desired as it contains sensitive information.

Please note that the "User Profile" attributes are available normally, as the User Profile "groups" and "attributes" are localized when the User is opened

Version

24.0.1

Regression

• The issue is a regression

Expected behavior

The User Profile Attributes are available for User Attribute search without the need of "view-realm" or "manage-realm" realm-management Client Role to be assigned:
User attribute search:

Locale attribute selection:

Actual behavior

The User Attribute Search is not usable, as User Profile attributes are not available in case "view-realm" or "manage-realm" realm-management Client Role is not assigned:
User attribute search:

User Attribute select:

How to Reproduce?

1. Create User Profile attributes, also some with multiselect, like for Locale selection
2. Create user with user/credentials (or use Identity Provider if available)
3. Assign "manage-users" and "query-users" realm-management Client roles to an user
4. Sign in with the security-admin-console client with
5. Go to the User menu:
   
6. Try to make Attribute Search:
   
   or to assign some Attribute for the user

Anything else?

No response

[keycloak-github-bot]

Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment.

If you are affected by this issue, upvote it by adding a 👍 to the description. We would also welcome a contribution to fix the issue.

[enastevska]

Is there an update when this will be resolved?

[mpalavrov]

Hey @ssilvert, could you please provide some update on this bug? It is still there for KC 25.0.1.
Thank you.

[antikalk]

I just verified that the issue still persists with KC 25.0.2.

[danielFesenmeyer]

@mpalavrov checked this with KC 24.0.6. Seems like the attribute selection has been fixed, I was able to select and save an "options-attribute" with "manage-users" role.

But the User Attribute Search issue still persists. Will also check on main and see whether I can provide a PR.

[danielFesenmeyer]

Hi @ssilvert,

I've implemented a draft, which shows how this issue can be solved from my POV: #31771

Actually, it's still a draft because I've added a new "ui-ext" endpoint on realm level, which allows access to all users having any admin rights. This new endpoint is now used to retrieve the information whether userProfileProviders are enabled, but could also be used for similar use cases. Before, the corresponding "component" was called, which requires at least "view-realm" permission, breaking the users view in case the logged-in admin only has "view-users" rights.

I've added several tests for the functionality and think the PR is at least a good starting point for the final fix.

[danielFesenmeyer]

@ssilvert PR is ready for review from the maintainers - so far, it has only been reviewed by my team.