Remove a realm role from a user
keycloak_user_role_unassignRevoke a specific realm-level role from a Keycloak user. Requires explicit confirmation to proceed; use after viewing current roles to avoid accidental removal.
Instructions
Destructive write: revokes a single realm-level role from a user (not a client role), removing the access that role grants. This action requires explicit confirmation and will not proceed unless 'confirm' is true. Use keycloak_user_roles_get first to see the user's current realm roles; for client-scoped roles use keycloak_user_client_role_unassign instead. Returns a confirmation that the role was removed, or a message explaining why it was not (for example, confirmation was declined or the user or role was not found).
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| role | Yes | The name of the realm role to revoke (e.g. 'admin'), as shown by keycloak_user_roles_get. This is the role name, not its ID. | |
| userId | Yes | The Keycloak user ID (the user's UUID, e.g. 'f47ac10b-58cc-4372-a567-0e02b2c3d479'), not the username. Identifies the user the role is removed from. | |
| confirm | No | Explicit confirmation gate for this destructive removal. Must be set to true to actually revoke the role; if omitted or false, the operation is declined and no change is made. |