Role-based access control in Keycloak

Understand available user types and user roles
Read time 2 minutesLast updated 5 days ago

This section lists the user types and user roles that are available in the solution. These important rules apply:
  • Every user must have at least one user type at the organization level. The user type not only indicates their access level but also links the user to an organization. One user type suffice. If the user has several user types, then the type with most permissions takes precedence. For example, if the user has both the User and Owner user types, then the Owner user type applies by default.
  • Service accounts can't have a user type. If you assign a user type to a service account in Keycloak, Unity Virtual Private Cloud ignores it.
  • Users and service accounts have different sets of roles, even for a same set of permissions. If you assign, to a service account, a role that is for users, or conversely, Virtual Private Cloud ignores it.
  • By default, in a project, users inherit the user type and the user roles that they have at the level of the organization to which the project belongs.
  • A user who has the User or Guest user type at the organization level can have a higher user type at the project level. For that specific project, the user type at the project level takes precedence over the user type at the organization level.
Read more about user types and user roles:

User types

This table shows the list of available user types:

Account type

Level

User type

ID

UserOrganizationOwner072429ce-8400-4b65-ac72-4b96e3278931
UserOrganizationUser39943160-54da-49ac-b1c7-bf26adc65855
UserOrganizationGuest6685d32d-f81a-4aeb-b95e-159c791a72d8
UserProjectOwner31a353cd-436a-4d1d-895f-6d98ff2d121f
UserProjectUserd9c31bee-a173-4a97-b41d-3ad320f7f93b

User roles

This table shows the list of available user roles:

Account type

Level

User role

ID

UserOrganizationAsset Manager Adminc8b054a9-1940-4f05-9059-f3859f1704b3
UserProjectAsset Manager Viewer4101ecc8-2223-4066-aa4b-6b6f4d0d01e6
UserProjectAsset Manager Consumere5411482-bf96-4166-a1e5-07726894b8b5
UserProjectAsset Manager Contributorc7fcf669-df1b-4a47-a662-4c15e0a29425
Service accountOrganizationAsset Manager Search009c9403-7516-40cb-8bc1-7f708ec307b7
Service accountOrganizationAsset Manager Admind0d7803a-b0a1-4a71-9350-0712c3da7e59
Service accountProjectAsset Manager Viewerb5b10e2a-5838-4235-ac3a-9be9fcec6ead
Service accountProjectAsset Manager Consumerbc1a173e-9f7a-4001-959e-ffc12ff98a7b
Service accountProjectAsset Manager Contributor5e91cc47-a12f-45ab-bbc5-3dfcdac56b3c

Naming pattern

The names of user types and users roles must follow this pattern:
  • At the organization level:
    organization.<user-type-or-role-id>
    Examples:
    • Owner user type:
      organization.072429ce-8400-4b65-ac72-4b96e3278931
    • Asset Manager Admin role for service accounts:
      organization.d0d7803a-b0a1-4a71-9350-0712c3da7e59
  • At the project level:
    project.<project-id>.<user-type-or-role-id>
    Examples:
    • Asset Manager Contributor role for users:
      project.9de8bc60-a385-4cf1-82d5-dd50ab6e8539.c7fcf669-df1b-4a47-a662-4c15e0a29425
    • Asset Manager Contributor role for service accounts:
      project.9de8bc60-a385-4cf1-82d5-dd50ab6e8539.5e91cc47-a12f-45ab-bbc5-3dfcdac56b3c