Breadcrumbs

Separation of Configurational Admin and CX Admin

This document provides comprehensive configuration guidelines for creating and managing users in Keycloak with appropriate role assignments. The configuration covers two distinct user types: administrative users for internal API operations and customer experience (CX) users for application login access.

Overview

Keycloak user management involves creating users with specific role assignments based on their intended functionality within the system. This implementation distinguishes between internal administrative operations and customer-facing application access through dedicated user configurations.

The configuration establishes two primary user categories:

  • Admin User - Designed for internal API operations with comprehensive realm management capabilities

  • CX Admin User - Configured for customer experience application login with limited administrative access

User Types

Admin User Configuration

The admin user serves as the primary administrative account for internal API operations and system management tasks. This user requires extensive permissions to manage realm configurations, users, and system-wide settings.

User Details:

  • Username: admin

  • Purpose: Internal API operations and system administration

  • Access Level: Full realm management capabilities

  • Authentication: Programmatic API access

Role Assignments: The admin user must be assigned all realm-management roles to ensure comprehensive administrative capabilities:

  • realm-admin - Complete administrative access to the realm

  • manage-users - User creation, modification, and deletion capabilities

  • manage-clients - Client application management permissions

  • manage-realm - Realm configuration and settings management

  • view-users - User information viewing permissions

  • view-clients - Client application viewing permissions

  • view-realm - Realm information viewing permissions

  • manage-identity-providers - Identity provider configuration management

  • view-identity-providers - Identity provider information viewing

  • manage-authorization - Authorization policy management

  • view-authorization - Authorization information viewing

  • create-client - Client creation permissions

  • impersonation - User impersonation capabilities

  • manage-events - Event management and configuration

  • view-events - Event viewing and monitoring

CX Admin User Configuration

The CX admin user is specifically designed for customer experience application access with controlled administrative privileges. This user provides the necessary permissions for CX application functionality while maintaining security boundaries.

User Details:

  • Username: cx_admin

  • Purpose: Customer experience application login and management

  • Access Level: Limited administrative access with CX-specific permissions

  • Authentication: CX application login

Role Assignments: The cx_admin user receives targeted role assignments for CX application functionality:

  • admin - Basic administrative role for CX operations

  • offline_access - Enables offline token access for extended sessions

  • uma_authorization - User-Managed Access authorization capabilities

Configuration Steps

Prerequisites

Before proceeding with user configuration, ensure the following requirements are met:

  • Keycloak server is properly installed and running

  • Administrative access to Keycloak Admin Console is available

  • Target realm is created and configured

  • Required client applications are registered in the realm

Creating the Admin User

Follow these detailed steps to create and configure the admin user:

Step 1: Access User Management

  1. Log in to the Keycloak Admin Console

  2. Select the target realm from the realm dropdown (Expertflow in our case)

  3. Navigate to Users in the left sidebar

  4. Click Add User to begin user creation

Step 2: User Creation

  1. Enter the following user details:

    • Username: admin

    • Email: Provide appropriate administrative email address

    • First Name: Admin

    • Last Name: User

    • User Enabled: Toggle to ON

    • Email Verified: Toggle to OFF (if email verification is required then turn ON)

  2. Click Save to create the user

Step 3: Password Configuration

  1. Navigate to the Credentials tab

  2. Set a temporary password as OFF

  3. Click Set Password to apply changes

Step 4: Role Assignment

  1. Navigate to the Role Mappings tab

  2. Select Client Roles and choose realm-management from the dropdown

  3. Assign all available realm-management roles:

    • Select all roles from the Available Roles list

    • Click Add selected to assign the roles

  4. Verify that all realm-management roles appear in the Assigned Roles section

Creating the CX Admin User

Follow these steps to create and configure the CX admin user:

Step 1: User Creation Process

  1. In the Keycloak Admin Console, navigate to the Users section

  2. Click Add User to create a new user

  3. Enter the following details:

    • Username: cx_admin

    • Email: Provide appropriate CX administrative email

    • First Name: CX Admin

    • Last Name: User

    • User Enabled: Toggle to ON

  4. Save the user configuration

Step 2: Credential Setup

  1. Access the Credentials tab for the newly created user

  2. Set appropriate password based on organizational security policies

  3. Click Set Password to apply changes

Step 3: Role Configuration

  1. Navigate to the Role Mappings tab

  2. Realm Roles Assignment:

    • From Available Roles, select and assign:

      • admin

      • offline_access

      • uma_authorization

    • Click Add selected to complete the assignment

  3. Client Roles (if applicable):

    • If specific client roles are required for CX applications

    • Select the appropriate client from the Client Roles dropdown

    • Assign relevant client-specific roles

Advanced Configuration Options

User Attributes

Custom user attributes can be configured to enhance user functionality and integration capabilities:

For Admin User:

  • api_access_level: "full"

  • user_type: "system_admin"

  • access_scope: "internal"

For CX Admin User:

  • application_access: "cx_platform"

  • user_type: "cx_admin"

  • access_scope: "customer_facing"

Verification and Testing

Admin User Verification

API Access Testing:

  1. Obtain admin user authentication token

  2. Test realm management API endpoints

  3. Verify user management capabilities

  4. Confirm client management permissions

Role Verification:

  1. Check assigned roles in Admin Console

  2. Verify effective permissions through API calls

  3. Test administrative operations across different realm components

CX Admin User Verification

Application Login Testing:

  1. Attempt login to CX applications

  2. Verify successful authentication

  3. Confirm application functionality access

  4. Test offline access capabilities

Permission Validation:

  1. Verify limited administrative access

  2. Confirm UMA authorization functionality

  3. Test role-based feature access within CX applications