Role-based access control in Keycloak
Understand available user types and user roles
Read time 2 minutesLast updated 11 days ago
This section lists the user types and user roles that are available in the solution. These important rules apply:
- Every user must have at least one user type at the organization level. The user type not only indicates their access level but also links the user to an organization. One user type suffice. If the user has several user types, then the type with most permissions takes precedence. For example, if the user has both the User and Owner user types, then the Owner user type applies by default.
-
If you assign, to a user, the Guest user type at the organization level, then explicitly add this user to specific projects so that they can access Asset Manager. At the project level, assign these roles to the user:
- The Owner or User type.
- Optionally, Asset Manager roles to users who have the User type. These add-on roles are based on Role-Based Access Control (RBAC).
- Service accounts can't have a user type. If you assign a user type to a service account in Keycloak, Unity Virtual Private Cloud ignores it.
- Users and service accounts have different sets of roles, even for a same set of permissions. If you assign, to a service account, a role that is for users, or conversely, Virtual Private Cloud ignores it.
- By default, in a project, users inherit the user type and the user roles that they have at the level of the organization to which the project belongs.
- A user who has the User or Guest user type at the organization level can have a higher user type at the project level. For that specific project, the user type at the project level takes precedence over the user type at the organization level.
User types
This table shows the list of available user types:Account type | Level | User type | ID |
|---|---|---|---|
| User | Organization | Owner | 072429ce-8400-4b65-ac72-4b96e3278931 |
| User | Organization | User | 39943160-54da-49ac-b1c7-bf26adc65855 |
| User | Organization | Guest | 6685d32d-f81a-4aeb-b95e-159c791a72d8 |
| User | Project | Owner | 31a353cd-436a-4d1d-895f-6d98ff2d121f |
| User | Project | User | d9c31bee-a173-4a97-b41d-3ad320f7f93b |
User roles
This table shows the list of available user roles:Account type | Level | User role | ID |
|---|---|---|---|
| User | Organization | Asset Manager Admin | c8b054a9-1940-4f05-9059-f3859f1704b3 |
| User | Project | Asset Manager Viewer | 4101ecc8-2223-4066-aa4b-6b6f4d0d01e6 |
| User | Project | Asset Manager Consumer | e5411482-bf96-4166-a1e5-07726894b8b5 |
| User | Project | Asset Manager Contributor | c7fcf669-df1b-4a47-a662-4c15e0a29425 |
| Service account | Organization | Asset Manager Search | 009c9403-7516-40cb-8bc1-7f708ec307b7 |
| Service account | Organization | Asset Manager Admin | d0d7803a-b0a1-4a71-9350-0712c3da7e59 |
| Service account | Project | Asset Manager Viewer | b5b10e2a-5838-4235-ac3a-9be9fcec6ead |
| Service account | Project | Asset Manager Consumer | bc1a173e-9f7a-4001-959e-ffc12ff98a7b |
| Service account | Project | Asset Manager Contributor | 5e91cc47-a12f-45ab-bbc5-3dfcdac56b3c |
Naming pattern
The names of user types and users roles must follow this pattern:-
At the organization level: Examples:
organization.<user-type-or-role-id>- Owner user type:
organization.072429ce-8400-4b65-ac72-4b96e3278931 - Asset Manager Admin role for service accounts:
organization.d0d7803a-b0a1-4a71-9350-0712c3da7e59
- Owner user type:
-
At the project level: Examples:
project.<project-id>.<user-type-or-role-id>- Asset Manager Contributor role for users:
project.9de8bc60-a385-4cf1-82d5-dd50ab6e8539.c7fcf669-df1b-4a47-a662-4c15e0a29425 - Asset Manager Contributor role for service accounts:
project.9de8bc60-a385-4cf1-82d5-dd50ab6e8539.5e91cc47-a12f-45ab-bbc5-3dfcdac56b3c
- Asset Manager Contributor role for users: