Advanced Keycloak

Note

Please use the ITRS Analytics IAM app to manage user access, roles, and permissions across the ITRS Analytics platform. It provides centralized authentication and integration with identity providers.

This section is intended to enable experienced Keycloak admins to add additional features. You do not need to perform any steps below to configure a basic installation.

Once you have configured Keycloak using your preferred service, an advanced admin can use Keycloak to implement data access authorization policies. For more information, see Keycloak Documentation.

Keycloak allows you to create policies and permissions to permit or restrict access by users or groups to data stored in the ITRS Analytics platform and the APIs that can be used to directly or indirectly modify that data.

Keycloak realms are used to provide logical separation of users, groups, roles, and similar concepts between different contexts. A default master realm exists which is used for administrative purposes, such as the bootstrapping and initial configuration of Keycloak itself, including the creation of the itrs-analytics realm.

The configuration of data access authorization described in this section of the documentation is solely for the itrs-analytics realm – this is where users and groups that are used to login to ITRS Analytics exist.

Protect the realm-admin user Copied

The realm-admin user is a system-managed Keycloak account that ITRS Analytics uses for license validation and for authentication during upgrade or reconfiguration tasks.

• Never delete the realm-admin user.
• You can rotate the realm-admin password if required, but you must also update the Kubernetes secret named iam-realm-admin-credentials in the same namespace as your ITRS Analytics instance.
• If the password is changed in Keycloak but not in the secret, later platform operations that depend on realm-admin can fail with authentication errors.

For more information, see Protected system users.