Managing User Accounts
User accounts allow specific accesses to the application elements depending on their roles.
By default, the Keycloak configuration of the application defines the following users:
-
gene_admin
, with all available roles. For more details, please refer to Section Managing User Roles.Specific roles are recognized by the permission system and assigned by default to the
gene_admin
.Note that:
-
PERMISSIONS_ADMIN
role allows to edit permissions, which prevents locking all users out of the application due to a misconfiguration of permission rules. -
APPLICATION_ADMIN
role allows users with this role to perform application administration tasks, such as exporting and resetting application configuration, or running job-cleaning task.
Note:These roles are also assigned, by default, to members of the user group
GENE_ADMINS
. For more details, please refer to Section Managing User Groups. -
-
user1
,user2
,user3
, anduser4
with the roleGENE_USER
.
Finally, the mandatory system role and users are defined in the default configuration.
The default configuration of an application defines a role named SYSTEM
and four users with (only) this role, named backend-service
, data-service
, execution-service
, and scenario-service
. These users correspond to the microservices of the application and are used to authenticate REST calls between microservices. They are mandatory for the application to work, but they do not surface in the permission rules. The names and passwords of these four users must coincide with the ones defined in the application.yml
files of the corresponding microservices, under the spring.application.name
and spring.application.keycloak-password
properties.
In the default configuration, the SYSTEM
role is assigned to these four users through a group. That is, a Keycloak group named GENE_SERVICES
is defined, the SYSTEM
role is actually assigned to this group, and the four system users are set to belong to the group. The same principle is used to assign roles to the other users.
When you define your users and roles, the only requirement is the system role and users described above. However, as in the default configuration, you may want to assign the PERMISSIONS_ADMIN
and APPLICATION_ADMIN
roles to at least one user.
Note that, when managing users, groups should be created first and associated with their roles. In a second step, the users can be added to groups.
You can find the official Keycloak documentation about group management here.
To list the available users in the system, click on the "Groups" menu.
Listing the Available Groups
To delete a user, click on the associated button.
Deleting a User
Defining a user requires going through three steps: user creation, credentials configuration and group association.
Click on the "Add user" button in the "Users" page.
Adding a User
Then the only field that is mandatory is the username. Once filled in, just click on the "Save" button.
Typing a Username and Clicking on Save
The new user is created and its credentials must be defined to allow a real user to log into the application. Set temporary credentials by filling in the credentials form. Leave the temporary option enabled and then click on the "Set Password" button.
Filling in the Credential Form
Once a user has been created, its credentials can be edited at any given time. For more details, please refer to Section Configuring User Credentials.
Join the user into the "GENE_USERS" group in the "Groups" tab.
Joining the GENE_USERS Group