Manage Users and Groups Locally in Keycloak

This section describes how to create and manage users and groups directly in Keycloak, without using Active Directory or LDAP federation. You can assign realm roles to Keycloak groups and then map those groups to roles and permissions in the Administration Portal. You can also use the same Keycloak accounts for Monitoring Portal (Grafana) Single Sign-On (SSO).

Prerequisites

  • Keycloak is enabled and working for the Manager.

  • You can sign in to the Keycloak administration console at https://manager-fqdn/ovirt-engine-auth/.

Note:

If you plan to use Grafana SSO, ensure that each Keycloak user has an email address. Grafana requires an email address for authentication.

Create a Local Group in Keycloak

This section describes how to create groups in Keycloak and map those groups to realm roles. Users that you add to a group inherit the group's role mappings.

Group naming recommendations

Use group names that are meaningful for the environment. The following example names are commonly used:

  • ovirt-admins

  • ovirt-users

  • grafana-admins, grafana-editors, grafana-viewers

Create a group and map it to realm roles

  1. Sign in to the Keycloak administration console.

  2. In the navigation menu, select Groups.

  3. Select New, enter a group name, and then select Create.

  4. Select the group name, and then select the Role Mappings tab.

  5. From the role list, select the required realm roles, and then select Add selected. For example:

    • For OLVM administrative access, map SuperUser to ovirt-admins.

    • For OLVM portal access, map UserRole to ovirt-users.

    • For Grafana access, map grafana-admin, grafana-editor, or grafana-viewer to the corresponding grafana-* group.

Manage group membership

To view and manage users assigned to the group, select the group name and then select the Members tab.

Create a Local User in Keycloak

This section describes how to create users directly in Keycloak. You can assign a user to one or more Keycloak groups so the user inherits the realm roles mapped to those groups.

Create a user

  1. Sign in to the Keycloak administration console.

  2. In the navigation menu, select Users, and then select Add user.

  3. Enter the user details:

    • Username (required)

    • Email

    • First name and Last name

    • User enabled: ON

    • (Optional) In Groups, select one or more groups to assign the user.

  4. Select Save.

Set credentials

  1. In the user details page, select the Credentials tab.

  2. Set the password as required by the environment.

Assign the user to groups

If you didn't assign the user to a group when you created the user, you can add group membership later.

  1. In the user details page, select the Groups tab.

  2. Select the required group and add the user.

Note:

If you plan to use Grafana SSO, ensure that the user has an email address configured.

Assign Keycloak Groups in OLVM and Configure Permissions

After you create groups in Keycloak, add those groups in the Administration Portal and assign the required OLVM roles and permissions.

Add a Keycloak group in the Administration Portal

  1. Sign in to the Administration Portal as admin@ovirt.

  2. Go to Administration > Users.

  3. Select Groups, and then select Add.

  4. From the domain list, select internalsso.

  5. Search for the Keycloak group, select it, and then add it.

Assign roles and permissions

  1. Select the group name, and then select the Permissions tab.

  2. Assign the required role. For example:

    • For full administrative access, assign SuperUser.

    • For basic portal access, assign UserRole.

Assign Grafana Roles for Keycloak Local Accounts

If you use Grafana Single Sign-On (SSO) with Keycloak local users, ensure that Keycloak groups are mapped to the realm roles that Grafana expects.

Configure group-to-role mappings in Keycloak

  1. In Keycloak, select Groups and select the group that you want to use for Grafana. For example, select grafana-admins.

  2. Select the Role Mappings tab.

  3. Add the appropriate realm role, and then select Add selected. For example, map grafana-admin to the grafana-admins group.

Result

After mapping is complete, users that are members of the Grafana groups inherit the corresponding Grafana role when they sign in to Grafana using SSO.

Sign in and Test Access

After you create local users and groups in Keycloak and assign permissions in the Administration Portal, test sign-in to the portals to confirm that role mappings work as expected.

Test Administration Portal access

  1. Sign out of the Administration Portal.

  2. Sign in using a Keycloak local user account.

  3. Verify that the user has the access associated with the user's group permissions.

Test Grafana SSO access

  1. Open the Monitoring Portal (Grafana) and select the SSO sign-in option.

  2. Sign in using a Keycloak local user account.

  3. Verify that the user's role in Grafana matches the mapped Keycloak group.