Cloud Pak for Integration roles and permissions
Roles that are assigned within IBM Cloud Pak® for Integration define the various tasks that are required to configure and use IBM Cloud Pak for Integration. Product roles are assigned within Keycloak and organized into groups of roles under Keycloak clients.
These Keycloak clients represent the following:
The Cloud Pak for Integration installation as a whole
Deployed instances
The Keycloak realm itself
The account management console
A Cloud Pak for Integration user is assigned permissions in Keycloak using role-based access control. When assigning a role to a user or a group in Keycloak, select Filter by clients to show roles associated with clients. You can search for specific roles and clients.
Cloud Pak for Integration client roles
When an instance that uses Keycloak is created, a corresponding Keycloak client is also created. Each client contains roles that are applicable to that specific instance. There is also a Keycloak client that represents the Cloud Pak for Integration installation as a whole.
The client for the Cloud Pak for Integration installation is named integration-<namespace>-xxxxx
, where namespace is the namespace in which Cloud Pak for Integration operators are installed. Omit the namespace value if Cloud Pak for Integration is installed in All namespaces on the cluster mode.
The roles included in the Cloud Pak for Integration client are:
admin
viewer
There are also roles in the Cloud Pak for Integration client that allow access to all instances of a specific instance type within the Cloud Pak for Integration installation. The roles associated with each instance type are as follows:
Integration dashboard -
dashboard-admin
,dashboard-viewer
Integration design -
designerauthoring-admin
Kafka cluster -
eventstreams-admin
Queue manager instance type:
queuemanager-webadmin
,queuemanager-webadminro
,queuemanager-webuser
Individual instance client roles
Individual instances have their own Keycloak clients. You can find the client name for a specific instance within your Cloud Pak for Integration installation in the status
section of the custom resource for that instance.
Roles within these clients apply only to the single instance represented by the custom resource.
Realm management client roles
In Keycloak, a realm is a space where you manage objects, including users, applications, roles, and groups. The realm-management
client represents the Keycloak realm and can be used to assign identity and access management roles.
An admin user is assigned roles from the realm-management
client. The following user functions are listed with their corresponding roles:
Keycloak user and group management -
manage-users
,query-users
,query-groups
Identity provider management -
manage-identity-providers
,view-identity-providers
User federation management -
manage-realm
,view-realm
Advanced configuration -
realm-admin
Two realm management administrators are automatically created:
Integration administrator - Enables administration of all instances and enables user, group and permissions management within Keycloak. For more information, see Getting the initial administrator password.
Keycloak administrator - Enables advanced access to Keycloak. For more information, see Keycloak configuration.
Account client roles
The account
client represents a user's own account and their ability to access the Keycloak account console to perform actions such as changing their own password and viewing their personal information.
Individual users are assigned roles from the account
client by default. These roles enable the following actions:
view-profile
- View their own profile within Keycloakmanage-account
- Change their Keycloak password
Assigning roles to users in the Keycloak UI
From the IBM Cloud Pak Platform UI home page, click the Navigation menu icon in the IBM Cloud Pak for Integration banner, then click Administration > Access control. The "Welcome to cloudpak" realm page opens.
From the navigation menu, click Users.
Enter the username in the search box.
From the list of users, click a username to open the "User details" page.
Click the Role mapping tab.
Click Assign role.
Click to open the dropdown menu and click Filter by clients.
Select the roles that you want for this user and click Assign.