keycloak-group-management

April 22, 2026 ยท View on GitHub

A keycloak extension to support advanced group management features:

  • User-driven group enrolment flows:

    • Users can request membership in groups:
      • Accept group Terms & Conditions
      • Provide comment/justification
    • Membership requests are reviewed by group managers

  • Time-based group membership:

    • Automatic expiration of group membership beyond a configurable time period after joining the group
    • Membership renewal process

  • Roles within groups

Note: This extension requires RCIAM Keycloak and is not supported with upstream Keycloak distributions.

Keycloak compatibility matrix

RCIAM Keycloak releases follow the format: <UPSTREAM-KC-VERSION>-<RCIAM-VERSION> (e.g. 26.5.5-1.0)

Group management releaseMinimum RCIAM Keycloak release
0.9.018.0.1-2.17
0.10.022.0.5-1.1
0.13.022.0.5-1.2
0.18.022.0.10-1.4
0.19.022.0.10-1.8
1.7.022.0.13-1.17
2.0.026.5.5-1.0

General configuration options

All web services to be executed needs realm management rights role.

  1. You should define realm attributes :
  • 'keycloakUrl' = Keycloak main url
  • 'AgmUserAssuranceForEnrollment' = User assurance (default 'assurance'), from version 1.9.4
  • 'AgmUserIdentifierForEnrollment' = User identifier (default 'username'), from version 1.9.4
  • 'AgmMaxExpiredMembersToDelete' = Max memberships to be deleted daily (default 100), from version 1.9.4 in master realm

  1. You can create the account roles manage-groups and manage-groups-extended for managing groups.

    manage-groups is a special role that can manage all groups in the same way as group admininstrators. The following actions are not permitted with this role:

    • delete group
    • delete role
    • invite a user
    • add group member role
    • delete group member role

    Users with this role can also:

    • create top level group
    • create group configuration
    • can view all realm users

    manage-groups-extended is a role with the same permissions as manage-groups, providing relaxed rules for creating group members (useful in migration scenarios).

  2. (optional) For general group management configuration options execute following web service (necessary during first time deployed):

curl --request PUT \ --url {server_url}/realms/{realmName}/agm/admin/configuration \ --header 'Accept: application/json' \ --header 'Authorization: Bearer {admin_access_token}' \ --header 'Content-Type: application/json' \ --data '{ "invitation-expiration-period":"72", "expiration-notification-period": "21" }'

Parameter explanation:

  • invitation-expiration-period = After how many hours the invitation will be expired. (default value is 72)
  • expiration-notification-period = How many days before Group Membership expiration (or aup expiration) notification email will be sent to user. Can be overridden per Group. (default value is 21)
  1. For configuring entitlements user attribute you must execute the following web service : curl --request POST \ --url {server_url}/realms/{realmName}/agm/admin/member-user-attribute/configuration \ --header 'Accept: application/json' \ --header 'Authorization: Bearer {admin_access_token}' \ --header 'Content-Type: application/json' \ --data '{ "userAttribute" : "entitlements", "urnNamespace" : "urn%3Amace%3Aexample.org", "authority" : "rciam.example.org" // Optional. It will be omitted from the group entitlements if not specified }'

Only authority is optional.

  1. Configuration rules exists for group configuration options. Web service example: curl --request POST \ --url {server_url}/realms/{realmName}/agm/admin/configuration-rules \ --header 'Accept: application/json' \ --header 'Authorization: Bearer {admin_access_token}' \ --header 'Content-Type: application/json' \ --data '{ "field" : "membershipExpirationDays" , "type" : "TOP_LEVEL" , "required" : true, "defaultValue" : "30", "max" : "45" }'

Fields explanation :

  • field : field of group management (required)
  • type : "TOP_LEVEL" or "SUBGROUP" (required)
  • required : required field (required)
  • defaultValue : default value
  • max : max value

With PUT {server_url}/realms/{realmName}/agm/admin/configuration-rules/{id} you could update a configuration rule. With GET {server_url}/realms/{realmName}/agm/admin/configuration-rules you could get all configuration rules.

When a group is created, a default configuration is created. Group admin can change it/ create a new one. Configuration rules determines the default group configuration and applies rules in group configuration creation/ update.

Default group configuration values without any configuration rules:

FieldLabelDefault value
namenameJoin +
requireApprovalRequires approvalTrue
commentsNeededCommentsTrue
visibleToNotMembersVisibleFalse
activeActiveTrue
membershipExpirationDaysExpiration datenull
aup.urlAup urlnull

Default group role is member (default group role during creation)

REST API

Main url : {server_url}/realms/{realm}/agm

User web services ( Any Keycloak User)

PathMethodDescriptionClasses
/account/user/groupsGETget all user groupsUserGroups
/account/user/invitation/{id}GETget invitation by idUserGroups
/account/user/invitation/{id}/acceptPOSTaccept invitation and become group member or adminUserGroups
/account/user/invitation/{id}/rejectPOSTreject invitation for becoming group member or adminUserGroups
/account/user/groups/configurationsGETget all available group configurations (active and visibleToNotMembers) by groupPathUserGroups
/account/user/groups/configuration/{id}GETget group configuration by idUserGroups
/account/user/group/{groupId}/configurationsGETget all available group configurations (active and visibleToNotMembers)UserGroup
/account/user/group/{groupId}/memberGETget user group membershipUserGroupMember
/account/user/group/{groupId}/memberDELETEleave user group membershipUserGroupMember
/account/user/enroll-requestsGETget all user ongoing enrollment requestsUserGroups
/account/user/enroll-requestPOSTcreate new enrollment requestUserGroups
/account/user/enroll-request/{id}GETget enrollment request by idUserGroupEnrollmentRequestAction
/account/user/enroll-request/{id}/respondPOSTrespond t enrollment request by idUserGroupEnrollmentRequestAction

Group admin web services ( for group specific web services user must have admin rights to this group)

PathMethodDescriptionClasses
/account/group-admin/groupsGETget all groups that this user has admin rightsGroupAdminService
/account/group-admin/configuration-rulesGETget group enrollment configuration rules based on group typeGroupAdminService
/account/group-admin/groupids/allGETget all groups ids that this user has admin rightsGroupAdminService
/account/group-admin/groups/membersGETget all groups members given the groupids as comma-separated stringGroupAdminService
/account/group-admin/group/{groupId}DELETEdelete groupGroupAdminGroup
/account/group-admin/group/{groupId}/allGETget all group informationGroupAdminGroup
/account/group-admin/group/{groupId}/childrenPOSTcreate child groupGroupAdminGroup
/account/group-admin/group/{groupId}/configuration/allGETget all group enrollment configurationsGroupAdminGroup
/account/group-admin/group/{groupId}/configuration/{id}GETget group enrollment configurationGroupAdminGroup
/account/group-admin/group/{groupId}/configurationPOSTcreate/ update group enrollment configurationGroupAdminGroup
/account/group-admin/group/{groupId}/configuration/{id}DELETEdelete group enrollment configurationGroupAdminGroup
/account/group-admin/group/{groupId}/default-configurationPOSTchange default group enrollment configurationGroupAdminGroup
/account/group-admin/group/{groupId}/rolesGETget all group rolesGroupAdminGroup
/account/group-admin/group/{groupId}/rolesPOSTcreate group roleGroupAdminGroup
/account/group-admin/group/{groupId}/role/{name}DELETEdelete group roleGroupAdminGroup
/account/group-admin/group/{groupId}/membersGETget all group members pager, being able to search and get by type (fe active)GroupAdminGroupMembers
/account/group-admin/group/{groupId}/membersPOSTcreate a user group member based on usernameGroupAdminGroupMembers
/account/group-admin/group/{groupId}/members/invitationPOSTsend invitation to a user based on emailGroupAdminGroupMembers
/account/group-admin/group/{groupId}/member/{memberId}PUTupdate specific fields of group memberGroupAdminGroupMembers
/account/group-admin/group/{groupId}/member/{memberId}DELETEdelete group memberGroupAdminGroupMember
/account/group-admin/group/{groupId}/member/{memberId}/rolePOSTadd role to group memberGroupAdminGroupMember
/account/group-admin/group/{groupId}/member/{memberId}/role/{name}DELETEdelete role from group memberGroupAdminGroupMember
/account/group-admin/group/{groupId}/member/{memberId}/suspendPOSTsuspend group memberGroupAdminGroupMember
/account/group-admin/group/{groupId}/member/{memberId}/activatePOSTactivate group memberGroupAdminGroupMember
/account/group-admin/group/{groupId}/adminPOSTadd user as admin using user id or usernameGroupAdminGroup
/account/group-admin/group/{groupId}/admin/invitePOSTinvite user as group admin for this groupId groupGroupAdminGroup
/account/group-admin/group/{groupId}/adminDELETEdelete group admin using user id or usernameGroupAdminService
/account/group-admin/enroll-requestsGETget all group admin enrollment requestsGroupAdminService
/account/group-admin/enroll-request/{enrollId}GETget enrollment requestGroupAdminEnrollementRequest
/account/group-admin/enroll-request/{enrollId}/extra-infoPOSTrequest extra information from userGroupAdminEnrollementRequest
/account/group-admin/enroll-request/{enrollId}/acceptPOSTaccept group enrollment requestGroupAdminEnrollementRequest
/account/group-admin/enroll-request/{enrollId}/rejectPOSTreject group enrollment requestGroupAdminEnrollementRequest

manage-groups account role

Role name can be changed in database( column GROUP_ROLE_NAME of table GROUP_MANAGEMENT_EVENT)

PathMethodDescriptionClasses
/account/group-admin/groupPOSTcreate top level groupGroupAdminService

Admin web services

PathMethodDescriptionClasses
/admin/groupPOSTcreate top level groupAdminService
/admin/configurationPUTchange realm settings (realm attributes)AdminService
/admin/member-user-attribute/configurationGETget member user attribute configurationAdminService
/admin/member-user-attribute/configurationPOSTupdate member user attribute configurationAdminService
/admin/configuration-rulesGETget group enrollment configuration rulesAdminEnrollmentConfigurationRules
/admin/configuration-rulesPOSTcreate group enrollment configuration ruleAdminEnrollmentConfigurationRules
/admin/configuration-rules/{id}GETget group enrollment configuration rule by idAdminEnrollmentConfigurationRules
/admin/configuration-rules/{id}PUTupdate group enrollment configuration ruleAdminEnrollmentConfigurationRules
/admin/configuration-rules/{id}DELETEdelete group enrollment configuration ruleAdminEnrollmentConfigurationRules
/admin/memberUserAttribute/calculationPOSTupdate member user attribute value for all usersAdminService
/admin/effective-expiration-date/calculationPOSTupdate user group membership effective expiration date for all realmsAdminService
/admin/user/{id}DELETEdelete userAdminService
/admin/group/{groupId}DELETEdelete groupAdminGroups
/admin/group/{groupId}/configuration/{id}GETget group enrollment configurationAdminGroups
/admin/group/{groupId}/configurationPOSTcreate/update group enrollment configurationAdminGroups
/admin/group/{groupId}/admin/{userId}POSTcreate group adminAdminGroups
/admin/group/{groupId}/admin/{userId}DELETEdelete group adminAdminGroups
/admin/group/{groupId}/childrenPOSTcreate child groupAdminGroups