diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
index 091d7a5..951e724 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
@@ -136,10 +136,13 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
if (root.admin().hasRole(role)) return true;
ClientModel adminClient = root.getRealmManagementClient();
+ // is this an admin role in 'realm-management' client of the realm we are managing?
if (adminClient.equals(role.getContainer())) {
// if this is realm admin role, then check to see if admin has similar permissions
// we do this so that the authz service is invoked
- if (role.getName().equals(AdminRoles.MANAGE_CLIENTS)) {
+ if (role.getName().equals(AdminRoles.MANAGE_CLIENTS)
+ || role.getName().equals(AdminRoles.CREATE_CLIENT)
+ ) {
if (!root.clients().canManage()) {
return adminConflictMessage(role);
} else {
@@ -151,6 +154,9 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
} else {
return true;
}
+
+ } else if (role.getName().equals(AdminRoles.QUERY_REALMS)) {
+ return true;
} else if (role.getName().equals(AdminRoles.QUERY_CLIENTS)) {
return true;
} else if (role.getName().equals(AdminRoles.QUERY_USERS)) {
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
index b4162f4..1854e83 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
@@ -660,13 +660,12 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
adminClient.realm(TEST).roles().create(composite);
composite = adminClient.realm(TEST).roles().get("composite").toRepresentation();
- RoleRepresentation compositePart = new RoleRepresentation();
- compositePart.setName("composite-part");
- adminClient.realm(TEST).roles().create(compositePart);
- compositePart = adminClient.realm(TEST).roles().get("composite-part").toRepresentation();
-
+ ClientRepresentation client = adminClient.realm(TEST).clients().findByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID).get(0);
+ RoleRepresentation createClient = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.CREATE_CLIENT).toRepresentation();
+ RoleRepresentation queryRealms = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.QUERY_REALMS).toRepresentation();
List<RoleRepresentation> composites = new LinkedList<>();
- composites.add(compositePart);
+ composites.add(createClient);
+ composites.add(queryRealms);
adminClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
}
@@ -695,13 +694,11 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
realmClient.realm(TEST).roles().create(composite);
composite = adminClient.realm(TEST).roles().get("composite").toRepresentation();
- RoleRepresentation compositePart = new RoleRepresentation();
- compositePart.setName("composite-part");
- realmClient.realm(TEST).roles().create(compositePart);
- compositePart = adminClient.realm(TEST).roles().get("composite-part").toRepresentation();
+ ClientRepresentation client = adminClient.realm(TEST).clients().findByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID).get(0);
+ RoleRepresentation viewUsers = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.CREATE_CLIENT).toRepresentation();
List<RoleRepresentation> composites = new LinkedList<>();
- composites.add(compositePart);
+ composites.add(viewUsers);
realmClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
}
// testRestEvaluationMasterRealm
