Managing User Accounts

User accounts allow specific accesses to the application elements depending on their roles.

By default, the Keycloak configuration of the application defines the following users:

  • gene_admin, with all available roles. For more details, please refer to Section Managing User Roles.

    Specific roles are recognized by the permission system and assigned by default to the gene_admin.

    Note that:

    • PERMISSIONS_ADMIN role allows to edit permissions, which prevents locking all users out of the application due to a misconfiguration of permission rules.

    • APPLICATION_ADMIN role allows users with this role to perform application administration tasks, such as exporting and resetting application configuration, or running job-cleaning task.

    Note:

    These roles are also assigned, by default, to members of the user group GENE_ADMINS. For more details, please refer to Section Managing User Groups.

  • user1, user2, user3, and user4 with the role GENE_USER.

Finally, the mandatory system role and users are defined in the default configuration.

The default configuration of an application defines a role named SYSTEM and four users with (only) this role, named backend-service, data-service, execution-service, and scenario-service. These users correspond to the microservices of the application and are used to authenticate REST calls between microservices. They are mandatory for the application to work, but they do not surface in the permission rules. The names and passwords of these four users must coincide with the ones defined in the application.yml files of the corresponding microservices, under the spring.application.name and spring.application.keycloak-password properties.

In the default configuration, the SYSTEM role is assigned to these four users through a group. That is, a Keycloak group named GENE_SERVICES is defined, the SYSTEM role is actually assigned to this group, and the four system users are set to belong to the group. The same principle is used to assign roles to the other users.

When you define your users and roles, the only requirement is the system role and users described above. However, as in the default configuration, you may want to assign the PERMISSIONS_ADMIN and APPLICATION_ADMIN roles to at least one user.

Note:

Note that, when managing users, groups should be created first and associated with their roles. In a second step, the users can be added to groups.

You can find the official Keycloak documentation about group management here.

To list the available users in the system, click on the "Groups" menu.

Listing the Available Groups

To delete a user, click on the associated button.

Deleting a User

Defining a user requires going through three steps: user creation, credentials configuration and group association.

Click on the "Add user" button in the "Users" page.

Adding a User

Then the only field that is mandatory is the username. Once filled in, just click on the "Save" button.

Typing a Username and Clicking on Save

The new user is created and its credentials must be defined to allow a real user to log into the application. Set temporary credentials by filling in the credentials form. Leave the temporary option enabled and then click on the "Set Password" button.

Filling in the Credential Form

Once a user has been created, its credentials can be edited at any given time. For more details, please refer to Section Configuring User Credentials.

Join the user into the "GENE_USERS" group in the "Groups" tab.

Joining the GENE_USERS Group