Feature Request: Endpoint for Realm Admins to List and Manage All Tenants

[shehabghazy]

As a system administrator, there is often a need to view and manage all tenants within the system. This capability is crucial for overseeing tenant status and performing administrative tasks efficiently. Currently, there is no straightforward way to list all tenants from the admin side.

So it would be beneficial to introduce a dedicated endpoint that allows realm admins to list and manage all tenants. This feature would streamline administrative workflows and enhance overall system management.

Additionally it is suggested to Include options for filtering and sorting tenant data to facilitate specific administrative tasks.
This feature would significantly enhance the administrative capabilities of the multi tenancy extension and improve overall workflow efficiency.

[github-actions]

This issue is stale because it has been open for 30 days with no activity. If this issue still applies please comment otherwise it will be closed in 7 days.

[github-actions]

This issue is stale because it has been open for 30 days with no activity. If this issue still applies please comment otherwise it will be closed in 7 days.

[github-actions]

This issue was closed because it has been inactive for 7 days since being marked as stale.

[oleaasbo]

Realm Role For Tenant Administration

Problem Statement

System administrators currently lack a centralized way to view and manage tenants across the system.

Proposed Solution

main...oleaasbo:keycloak-multi-tenancy:realm-admin
Implement a realm-wide tenant management system using Keycloak's established authorization patterns. This approach will introduce a new role-based access control mechanism specifically for tenant management.

Code Changes

1. Constants Addition

// Constants.java
public static final String TENANTS_MANAGEMENT_ROLE = "manage-tenants";

Added new constant to define the realm-wide tenant management role.

2. TenantAdminAuth Extension

// TenantAdminAuth.java
boolean isRealmTenantManager() {
    return hasAppRole(getRealmManagementClient(), Constants.TENANTS_MANAGEMENT_ROLE);
}

private ClientModel getRealmManagementClient() {
    return getRealm().getClientByClientId(org.keycloak.models.Constants.REALM_MANAGEMENT_CLIENT_ID);
}

Added methods to:

• Check if the current user has the tenant management role
• Retrieve the realm-management client

3. TenantsResource Modification

// TenantsResource.java
return tenantProvider.getTenantsStream(realm)
    .filter(tenant -> auth.isTenantMember(tenant) || auth.isRealmTenantManager())
    .filter(tenant -> search.isEmpty() || tenant.getName().contains(search.get()))
    .skip(firstResult)
    .limit(maxResults)

Modified tenant filtering to:

• Allow access if user is either a tenant member OR a realm tenant manager
• Maintain existing search and pagination functionality

Implementation Details

1. Authorization Flow

   • Users with manage-tenants role can view all tenants
   • Existing tenant members retain their current access
   • Role check is added to the filter chain for efficient evaluation

2. Backward Compatibility

   • Existing tenant member access remains unchanged
   • New role provides additional access path without breaking existing flows

3. Performance Considerations

   • Role check is performed at the filter level
   • Maintains existing pagination and search capabilities
   • No additional database queries required for role verification

Setup Requirements

Create the manage-tenants role in the realm-management client through the Keycloak admin console:

1. Navigate to Clients > realm-management.
2. Go to the Roles tab.
3. Click Add Role.
4. Enter the manage-tenants and an optional Description.
5. Click Save.
6. Assign the role to appropriate realm administrators through the Keycloak admin console.

This implementation provides a clean, maintainable solution for realm-wide tenant management while preserving existing functionality and security measures.

[anarsultanov]

Thanks, @oleaasbo, for the detailed explanation and solution—it looks great! I haven’t had much free time recently to work on this, but your approach seems like a very good fit for what’s needed.

If you can, please go ahead and create a PR with your changes, and I’ll review it as soon as possible. If not, I’ll try to make some time next week to add this myself.

Thanks again for your work on this!

[anarsultanov]

Hi @shehabghazy and @oleaasbo ,

I’ve created PR implementing the tenant management role, based on @oleaasbo’s detailed proposal. I’d greatly appreciate it if you could take a look and share your feedback to ensure it meets your needs.

Thank you!