Inconsistency using impersonation user permission

[masalinas]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

admin/api

Describe the bug

I want to bind a user policy to the user impersonation permission withour activating the feature admin-fine-grained-authz when start a keycloak service.
The documentation said that the impersonation feature is active by default in keycloak, but if you don't activate the parameter admin-fine-grained-authz:

• Is you tray to activate the user permissions using the Admin Console, the permissions tab is not showed in the user menu so is not possible bind any policy visually.
• Is you tray to activate the user permissions using the Admin CLI like this:

kcadmin.sh update users-management-permissions -r poc -s enabled=true

You obtain an error like this.

For more on this error consult the server log at the debug level. [unknown_error]

This option only works when you activate the parameter admin-fine-grained-authz

Conclusion: you must to activate the parameter: admin-fine-grained-authz a Preview features if you want to use the impersonation a Supported features, so this is situation is incongruent.

Version

24.0.4

Regression

• The issue is a regression

Expected behavior

I want to bind a user policy to the user impersonation permission without activating the parameter admin-fine-grained-authz which is a Preview features

Actual behavior

Is not possible to use the impersonation user behavior in a production environment because the admin-fine-grained-authz is not recomended to be used in this environment as keycloak comment.

How to Reproduce?

Try to activate the impersonation permissions from Admin CLI you will obtain an error, if you try to use the Admin Console not exist the tab of permissions to be activated

Anything else?

No response

[martin-kanis]

@masalinas I think you are mixing two things.

1. there is impersonation "feature" that is available to any user with impersonation role.
2. then you have fine grain impersonation control "feature" where you have more control over who can impersonate users. This is based on admin-fine-grained-authz feature which obviously needs to be enabled

[keycloak-github-bot]

Thanks for reporting this issue. However, after review this is not considered a valid issue, or has been recently resolved.

As the issue is not valid it will be automatically closed.

[masalinas]

Ok so the stable impersonation is related to the impersonation button that exist in the Keykloak Admin UI. So to use a more detail control impersonation ypu must to use the not stable parameter admin-fine-grained-authz.

So my last question is is in the keycloak roadmap include this feature as stable feature is a short of time?