User Community Service Desk Downloads
If you can't find the product or version you're looking for, visit

Identity Provider Roles

Identity provider roles specify the user roles defined in your company and are loaded from the identity management system you are using.

In this guide, we’re using Keycloak as an example of the identity management system.

Some default ONE roles in Keycloak are essential for the system to work. Do not edit or delete existing roles in Keycloak.

Before you start

You cannot create new identity provider roles in ONE. All changes made to identity provider roles information in ONE apply only to ONE.

After modifying the list of identity provider roles in ONE, you need to manually synchronize it with your identity management system.

Identity provider roles must be mapped to governance roles. Both types of roles are essential for regulating access for groups. For more information about governance roles and groups, see Governance Roles and Groups.

Manage identity provider roles in Keycloak


The Ataccamaone realm is set up in Keycloak. This is done during the installation or upgrade of ONE.

To manage users and Keycloak roles, log in to Keycloak Admin Console as the Ataccamaone realm admin.

Typically, users and roles in Keycloak are loaded from other authentication services, such as Active Directory or LDAP. For more information about synchronization with Keycloak, see the official Keycloak documentation.

Keycloak roles

There are three main Keycloak roles in ONE:

  • MMM_admin: Allows you to see and manage all tabs and items in ONE. This role must be assigned to at least one user, that is a superuser with full access and editing rights across the whole platform.

  • MMM_application_admin: Allows you to make changes on all tabs and items in ONE except for System changes, Database backups, and Metadata model.

  • MMM_user: Allows you to log in for the first time. This role is a Data Consumer of the "Default" group. Once a user is assigned to any other identity provider role or mapped to any governance role within any group, that user automatically gets access to the application even without the MMM_user role assigned.

System changes, Database backups, Metadata model, Validations, and Custom layouts screens are only accessible if you have the MMM_admin or the MMM_application_admin role.

These roles are composite roles. This means it is actually the associated roles admin, application_admin, and default that are assigned to users (consequently assigning MMM_admin, MMM_application_admin, and MMM_user).

After you log in to the Keycloak admin console, you can create and map new roles and users.

Create or edit an identity provider role

  1. Log in to the Keycloak Admin Console and make sure the Ataccamaone realm is selected (1).

  2. Under Configure, go to Roles (2).

  3. On the Realm Roles tab, select Add Role (3) to create a new role or select an existing role to edit:

    Keycloak roles list
  4. Specify Details and Attributes.

Remove roles

To remove a role in Keycloak, on the Roles > Realm Roles tab, select Delete for the role and confirm your choice.

Keycloak delete roles

Manage identity provider roles in ONE

Use ONE to synchronize with your identity management system manually when there are issues with automatic synchronization. You can also manage identity provider role information in ONE, but these changes cannot be propagated to your identity management system.

Check the Before you start section before proceeding.

Synchronization works only in one direction: from your identity management system to ONE. After you run the synchronization, the changes in your identity management tool override all changes in ONE.

We strongly recommend managing all users and roles in your identity management system.

To view the list of roles from your identity management system, go to Global Settings > Identity Provider Roles.

Identity provider roles list

Select a role from the list to view the users and groups with this identity provider role assigned. Expand the group to see to which governance role this identity provider role is assigned.

Assigned users and groups

Edit identity provider roles in ONE

To edit the metadata of an identity provider role:

  1. Go to Global Settings > Identity Provider Roles.

  2. Select a role and then Edit.

  3. Modify the role name and/or description.

  4. After you’re done editing, select Save.

  5. Publish your changes.

Remove identity provider roles in ONE

To remove an identity provider role:

  1. Go to Global Settings > Identity Provider Roles.

  2. Do one of the following:

    • Select one or more roles from the list and then Delete.

      Delete roles
    • Open the role details and in the three dots menu select Delete.

  3. After you’re done editing, publish the changes.

Synchronize changes with IAM system

When a new user logs in to ONE for the first time, the identity provider role of this user is automatically loaded from Keycloak.

To load any later changes from your identity management tool to ONE, go to Global Settings > Users and select Update.

Synchronize changes

Once the changes are successfully synchronized, you receive a notification from the Processing Center.

Was this page useful?