Cloud Pak for Integration roles and permissions

Cloud Pak for Integration client roles

When an instance that uses Keycloak is created, a corresponding Keycloak client is also created. Each client contains roles that are applicable to that specific instance. There is also a Keycloak client that represents the Cloud Pak for Integration installation as a whole.

The client for the Cloud Pak for Integration installation is named integration-<namespace>-xxxxx, where namespace is the namespace in which Cloud Pak for Integration operators are installed. Omit the namespace value if Cloud Pak for Integration is installed in All namespaces on the cluster mode.

The roles included in the Cloud Pak for Integration client are:

• admin

• viewer

There are also roles in the Cloud Pak for Integration client that allow access to all instances of a specific instance type within the Cloud Pak for Integration installation. The roles associated with each instance type are as follows:

• Integration dashboard - dashboard-admin, dashboard-viewer

• Integration design - designerauthoring-admin

• Kafka cluster - eventstreams-admin

• Queue manager instance type: queuemanager-webadmin, queuemanager-webadminro, queuemanager-webuser

Individual instance client roles

Individual instances have their own Keycloak clients. You can find the client name for a specific instance within your Cloud Pak for Integration installation in the status section of the custom resource for that instance.

Roles within these clients apply only to the single instance represented by the custom resource.

Realm management client roles

In Keycloak, a realm is a space where you manage objects, including users, applications, roles, and groups. The realm-management client represents the Keycloak realm and can be used to assign identity and access management roles.

An admin user is assigned roles from the realm-management client. The following user functions are listed with their corresponding roles:

• Keycloak user and group management - manage-users, query-users, query-groups

• Identity provider management - manage-identity-providers, view-identity-providers

• User federation management - manage-realm, view-realm

• Advanced configuration - realm-admin

Two realm management administrators are automatically created:

• Integration administrator - Enables administration of all instances and enables user, group and permissions management within Keycloak. For more information, see Getting the initial administrator password.

• Keycloak administrator - Enables advanced access to Keycloak. For more information, see Keycloak configuration.

Account client roles

The account client represents a user's own account and their ability to access the Keycloak account console to perform actions such as changing their own password and viewing their personal information.

Individual users are assigned roles from the account client by default. These roles enable the following actions:

• view-profile - View their own profile within Keycloak

• manage-account - Change their Keycloak password

Assigning roles to users in the Keycloak UI

1. From the IBM Cloud Pak Platform UI home page, click the Navigation menu icon in the IBM Cloud Pak for Integration banner, then click Administration > Access control. The "Welcome to cloudpak" realm page opens.

2. From the navigation menu, click Users.

3. Enter the username in the search box.

4. From the list of users, click a username to open the "User details" page.

5. Click the Role mapping tab.

6. Click Assign role.

7. Click to open the dropdown menu and click Filter by clients.

8. Select the roles that you want for this user and click Assign.