Skip to content

feat(FGAPv2): add GROUPS.reset-password-members scope with alias supp…#42801

Draft
Bagautdino wants to merge 1 commit intokeycloak:mainfrom
Bagautdino:main
Draft

feat(FGAPv2): add GROUPS.reset-password-members scope with alias supp…#42801
Bagautdino wants to merge 1 commit intokeycloak:mainfrom
Bagautdino:main

Conversation

@Bagautdino
Copy link
Contributor

@Bagautdino Bagautdino commented Sep 21, 2025

Closes: #42597

This PR adds support for GROUPS.reset-password-members scope in Fine-Grained Admin Permissions (FGAP) v2, enabling administrators to set up password reset permissions for group members through a minimal, elegant solution leveraging the existing alias mechanism.

Related Issues

Motivation

Following the successful introduction of USERS.reset-password scope in PR #41904, administrators need the ability to manage password reset permissions at the group level rather than individual user level. This addresses the group permission requirement mentioned in the original PR discussion and provides a scalable approach to managing password reset policies.

What's Changed

AdminPermissionsSchema.java

  • Added scope constant: RESET_PASSWORD_MEMBERS = "reset-password-members"
  • Extended GROUPS resource type: Added RESET_PASSWORD_MEMBERS to the scopes set
  • Created alias relationship: Mapped USERS.RESET_PASSWORD to GROUPS.RESET_PASSWORD_MEMBERS

Code Changes

// Added scope constant
public static final String RESET_PASSWORD_MEMBERS = "reset-password-members";

// Extended GROUPS resource type
public static final ResourceType GROUPS = new ResourceType(
    GROUPS_RESOURCE_TYPE, 
    Set.of(MANAGE, VIEW, MANAGE_MEMBERSHIP, MANAGE_MEMBERS, VIEW_MEMBERS, IMPERSONATE_MEMBERS, RESET_PASSWORD_MEMBERS)
);

// Added alias in USERS resource type
public static final ResourceType USERS = new ResourceType(
    USERS_RESOURCE_TYPE, 
    Set.of(MANAGE, VIEW, IMPERSONATE, MAP_ROLES, MANAGE_GROUP_MEMBERSHIP, RESET_PASSWORD), 
    Map.of(
        VIEW, Set.of(VIEW_MEMBERS), 
        MANAGE, Set.of(MANAGE_MEMBERS), 
        IMPERSONATE, Set.of(IMPERSONATE_MEMBERS), 
        RESET_PASSWORD, Set.of(RESET_PASSWORD_MEMBERS)  // ← New alias
    ), 
    GROUPS.getType()
);

How It Works

The solution leverages FGAP v2's built-in alias mechanism:

  1. Scope Creation: The new reset-password-members scope automatically becomes available in Admin Console for group policies
  2. Policy Creation: Administrators can create policies for GROUPS.reset-password-members on specific groups
  3. Automatic Evaluation: When UserPermissionsV2.canResetPassword() is called, the existing alias mechanism automatically:
    • Checks if the user is a member of any group with reset-password-members policies
    • Applies deny-overrides and scope-first behavior
    • Returns the appropriate permission result

Configuration

No new configuration options required. The feature works immediately with existing FGAP v2 settings.

@Bagautdino
feat(FGAPv2): add GROUPS.reset-password-members scope with alias supp…
698a218 
…ort 

- Add RESET_PASSWORD_MEMBERS scope to GROUPS resource type
- Create alias mapping USERS.RESET_PASSWORD -> GROUPS.RESET_PASSWORD_MEMBERS
- Add test for group-based password reset permissions
- Leverage existing FGAP v2 alias mechanism for automatic evaluation
- Follows deny-overrides and scope-first principles

Signed-off-by: Bagautdino <336373@edu.itmo.ru>
@SebastEnn
Copy link
Contributor

SebastEnn commented Nov 10, 2025

When do you think will this PR be ready? I need this feature for my Keycloak instance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add GROUPS.reset-password-members scope for FGAP v2

2 participants

@Bagautdino @SebastEnn

Comments