There are two types of users in Keycloak: HCI admin users and standard users.
The HCI admin user is created during the installation process. By default, this user is given all rights and permissions to the HCI realm, Swagger API, Workflow Designer, and Search App. In addition to the core roles that HCI assigns to all of its users, admin users are additionally assigned:
- realm-admin
- SearchAppAdmin
- WorkflowDesignerAdmin
- grafana:app
- prometheus:app
Subsequently, standard users are only assigned the five core roles by HCI upon their creation. These roles are:
- query-clients
- query-groups
- view-clients
- view-users
- query-users
These roles provide standard users with all of the access required to operate within Keycloak, but do not grant access to HCI functionality. Users that want to access HCI features will need to be assigned the appropriate HCI-Client composite roles for both Search App and Workflow Designer by their HCI admin user in order to successfully access and use the product.
For Search App, the composite roles are:
- Search Alerts
- Search Bulk Actions
- Search Indexes
- Search Plugins
- Search Query
For Workflow Designer, the composite roles are:
- Workflow Alerts
- Workflow Aliases
- Workflow Certificates
- Workflow Content Classes
- Workflow Datasources
- Workflow Indexes
- Workflow Pipelines
- Workflow Plugins
- Workflow Recovery
- Workflow Security Groups
- Workflow Security Settings
- Workflows
All roles assigned to a user can be viewed under the Users > Role mapping tab. All roles available for assignment within a specific realm can be viewed under the Realms > Roles tab.