Add Groovy rules as superuser programmatically


I would like to automated the creation of a few Groovy rules. However, only the superuser is allowed to create such rules and I still couldn’t find a way to authenticate programmatically as a superuser (e.g., admin).

How can I do that?

Best regards.
Adriano Carvalho


Until we have a robust groovy sandbox then indeed you need to be a superuser to create groovy rules (as well as have the write:rules client role).

A superuser is defined as a user in the master realm with the admin realm role; as this cannot be set with the users page in the manager UI you can go to the Keycloak admin UI /admin and you can manually add the admin realm role to your master realm service user as follows:

  1. Login as admin
  2. Select master realm
  3. Select clients (service users are actually defined as clients with a service user account)
  4. Select the client with the same name as your service user
  5. Select Service Account Roles tab
  6. Select the admin realm role and click add selected

Hi Rich,

Thank you for your response. Unfortunetely, that approach requires more user interaction than we would like.

Is it possible to add the “admin” role programmaticaly?

Something that would be acceptable for us is to open the browser for the user to log-in when needed. Could this be done?

Best regards.
Adriano Carvalho

Keycloak has a REST API (which is what our manager uses to manage users) so you could also use that programmatically to add the admin role; I don’t know your use case but I assume you want to do this for lots of users over time? Are you using the auto provisioning functionality over MQTT or are your service users being manually created?

Our use case is setting up OR instances, including adding rules and so on.

Now that I think about it, the SetupTasks feature could be a better option. Would that work?

SetupTasks is useful for initial static setup (provisioning assets, users, rules, etc.).

Whether this suits your use case depends on whether you know all the rules that are needed upfront.

The setup tasks could be used to provision service users and to add the admin realm role.

1 Like