Skip to main content
The Keycloak hands-on examples page demonstrates how to use Keycloak.

Manage roles

Roles define what a user or service account can do within a realm or app.

Create a realm role

Realm roles are global, and you can assign them to any user or group. Use the following steps to create a realm role:
  1. Log in to the Keycloak Admin Console.
  2. From the sidebar, navigate to Realm roles > Create role.
  3. In the Role Name field, enter a role name.
  4. In the Description field, enter an optional description.
  5. Click Save.
  6. Optionally configure Composite Roles to bundle multiple permissions.

Create a client role

Client roles are specific to an app and used for app-level authorizations. Use the following steps to create client roles:
  1. Log in to the Keycloak Admin Console.
  2. From the sidebar, click Clients and select a previously created client.
  3. Click the Roles tab.
  4. Click Create Role.
  5. In the Role Name field, enter a role name.
  6. In the Description field, enter an optional description.
  7. Click Save.

Manage users

Managing users ensures that you can control access to NexusOne apps and maintain security. In Keycloak, it allows you to create user accounts, manage credentials, or enforce password policies.

Create a new user

Use the following steps to create a new user:
  1. Log in to the Keycloak Admin Console.
  2. At the top left corner, select the realm you want to manage.
  3. Navigate to Users > Add user.
  4. Provide the required fields:
    • Username is mandatory
    • Email, First Name, and Last Name are optional
  5. Click Create.
  6. After creating a user, click the Credentials tab to set an initial password.
  7. Choose whether the user should update their password on first login.

Manage user credentials

Use the following steps to manage user credentials:
  1. Log in to the Keycloak Admin Console.
  2. From the sidebar, navigate to Users > username > Credentials.
    username is a user previously created
  3. Within the credentials tab, you can do the following:
    • Reset passwords
    • Disable or enable credentials
    • Configure temporary or permanent passwords

Assign a role to a user

Use the following steps to assign roles to users:
  1. Log in to the Keycloak Admin Console.
  2. From the sidebar, click Users and select a previously created user.
  3. Navigate to Role mappings > Assign role.
  4. In the available roles table, select a realm or client role you want to assign.
  5. Click Assign.

Manage groups

Groups allow administrators to combine multiple users and assign roles to them easily.

Create a group

Use the following steps to create a group:
  1. Log in to the Keycloak Admin Console.
  2. From the sidebar, navigate to Groups > Create group and assign roles or attributes to the group.
  3. In the Name field, enter a group name.
  4. Click Create.

Add a user to a group

Use the following steps to add a user to a group:
  1. Log in to the Keycloak Admin Console.
  2. From the sidebar, click Groups and select a previously created group.
  3. Navigate to Members > Add member.
  4. In the available member table, select a user you want to add.
  5. Click Add.

Assign a role to a group

Use the following steps to assign a role to a group:
  1. Log in to the Keycloak Admin Console.
  2. From the sidebar, click Groups and select a previously created group.
  3. Navigate to Role mappings > Assign role.
  4. In the available roles table, select a realm or client role you want to assign.
  5. Click Assign.

Create a client

Clients represent NexusOne apps or services that rely on Keycloak for authentication and authorization. These apps include, Apache Airflow, Superset, or JupyterHub. Use the following steps to create a client:
  1. Log in to the Keycloak Admin Console.
  2. From the sidebar, navigate to Clients > Create client.
  3. In the Client type field, select a client type such as OpenID Connect (OIDC) or Security Assertion Markup Language (SAML).
  4. In the Client ID field, enter a client ID.
  5. In the Name and Description field, optionally enter a name and description.
  6. Click Next.
  7. Select the authentication and authorization the client needs and click Next.
  8. Optionally, enter URLs and URIs that define where the client runs and which endpoints Keycloak should redirect after authentication.
  9. Click Save.

Additional resources

  • To get an overview of Keycloak, refer to the Keycloak in NexusOne page.
  • For more details about Keycloak, refer to the Keycloak official documentation.
  • If you are using the NexusOne portal and want to learn how to configure IAM using Keycloak, refer to the Govern page.