User Community Service Desk Downloads
If you can't find the product or version you're looking for, visit support.ataccama.com/downloads

Mapping Roles and Users

Mapping of users and roles is done in Keycloak. To do this, go to the Keycloak Admin Console (http://localhost:8080/auth/) and follow these steps.

Creating roles

  1. Make sure Ataccamaone realm is selected (the upper-left corner).

  2. From the left navigation bar, select Roles.

  3. On the Realm Roles tab, select Add Role:

    Add role in Keycloak
  4. Fill in Role Name and Description.

    Once a role is created in Keycloak, it is not possible to rename it.
  5. Select Save. The role appears in the roles list.

    Save role in Keycloak

Editing roles

  1. Navigate to the Roles >Realm Roles tab.

  2. From the list of roles, select a role name to open the configuration. Here you can view and edit role Details and Attributes and view the list of Users in Role.

    Edit role in Keycloak

Removing roles

  1. Navigate to the Roles > Realm Roles tab.

  2. Find the role and select Delete, then confirm.

    Delete role in Keycloak

Role names prefixes

As Keycloak can simultaneously manage roles and users for web applications of multiple Ataccama products, roles in Keycloak are automatically mapped to a specific Ataccama web application using the role prefix defined for the application. By default, the permission settings in RDM Web Application only look for roles with the prefix RDM_.

Roles without prefix are intended to be composite roles which comprise of prefixed roles. For example, admin is a composition of MMM_admin, RDM_admin, and others. For more information about composite roles, see Keycloak official documentation.

Creating role names with prefixes

The role name in Keycloak is created as <rolePrefix>_<roleName>, where:

  • rolePrefix: A role name prefix defined in the appName element in the web application configuration file.

    Make sure to start the role name with the <appName>_ prefix. Otherwise, the application does not recognize the role.
  • roleName: A role name defined in the web application.

    Use kebab-case (all lowercase with dashes as word separators), without diacritics.

Managing users in Keycloak

For more information and general use guidelines, see Keycloak official documentation.

After each role change (whether manual or gained from group roles), all sessions of the particular user should be logged out. To do this, log in as administrator to Keycloak Admin Console, and on the Sessions tab for that user, select Log out all sessions.

Creating users

To create users in Keycloak:

  1. Log in to Keycloak Admin Console.

  2. Make sure Ataccamaone realm is selected (the upper-left corner).

  3. Navigate to the Users screen.

  4. Select Add User.

    Add user in Keycloak
  5. Fill in user details.

  6. Select Save. The user now appears in the Users list.

Editing users

  1. Log in to Keycloak Admin Console.

  2. Make sure Ataccamaone realm is selected (the upper-left corner).

  3. Navigate to the Users screen.

  4. From the list of users, select the user ID to open the configuration page. Here you can view and edit user Details, Attributes, Credentials, and view user Groups and Role Mappings.

    Edit users in Keycloak

Removing users

  1. Log in to Keycloak Admin Console.

  2. Make sure Ataccamaone realm is selected (the upper-left corner).

  3. Navigate to the Users screen.

  4. Find the user and select Delete, then confirm.

    Delete user in Keycloak

Mapping roles to users

To map roles to users in Keycloak:

  1. Log in to Keycloak Admin Console.

  2. Make sure Ataccamaone realm is selected (the upper-left corner).

  3. Navigate to the Users screen.

  4. From the list of users, select the user ID to open the configuration.

  5. On the Role Mappings tab, select from Available Roles and then Add selected.

    Map roles in Keycloak

To view all users with a particular role, open the role configuration and switch to the Users in Role tab.

Users in Role

To view all roles assigned to a user, open the user configuration page and switch to the Role Mappings tab.

Role Mappings

See also web-application:setting-permissions.adoc for detailed information about RDM permissions.

Due to configuration changes in the Admin Console, it no longer allows access to the role RDM_admin but to the role defined in ataccama.one.rdm.system-group-name, which is where the access to the RDM web application Permissions tab is defined. This means the role defined in this property has access to both the Permissions tab and Admin Console. For access to the Permissions tab only, use the property ataccama.one.rdm.permissions-group-name.

Was this page useful?