How do I add roles to users or groups in Keycloak?

Summary

In this article, you will learn how to assign roles to users and groups in Keycloak. In the edoc applications, permissions are often granted using roles.

If a user is a member of a role, either directly or via group membership, "something" is permitted or prohibited. For example, there is the eca_admin role, which assigns users administrative rights in edoc contract.

Important requirements

• Administrative access to the Keycloak user interface (membership in the admin role).

Solution

You edit the role assignments in the Keycloak administration console (Administration Console).

Here's how

1. Switch to the Keycloak administration interface. To do this, go to https://<solution server>/auth and click on Administration Console.

2. Log in as an administrative user.

3. Select the user or group to which you want to assign roles:

   1. User:in: Under Manage, click on Users and select the user or users.

   2. Group: Under Manage, click on Groups and select the group.

4. Switch to the Role Mappings tab in the editing view to display the roles. After loading, you will only see Realm Roles there. Some applications (e.g. edoc automate) save roles in the respective client application. To edit the client roles, click on the respective client under Client Roles, e.g. app-server.

5. Add the desired role by selecting it and clicking on Add selected.

Under Assigned Roles, you can see the roles assigned directly to the user. Under Effective Roles, you can see the effective roles, taking into account the group membership.