Applying Realm Roles to Users

Overview

This section explains how to assign existing Realm Roles to users in the Keycloak Admin Console for the DSPM platform. The system uses Role-Based Access Control (RBAC). Each user receives one or more roles that define what parts of the application they can access. Roles are configured as Realm Roles, meaning they apply globally across the realm.

Prerequisites

Before assigning roles to users, ensure the following:
  • You have administrator access to the Keycloak Admin Console.
  • Users exist in the realm or have been imported from the identity provider.
  • The RBAC model for the DSPM platform is enabled and understood.

If roles are missing, contact the system administrator responsible for Keycloak configuration.

Available Roles

Role Abbreviation Use Case
Super Administrator AD Administrator with access to all pages.
System Administrator SA IT administrator responsible for tenant configuration, user imports, and RBAC.
Policy Manager PM Configure policies and qualify/assign incidents.
Incident Manager IM Access reports, incident details, and workflow. Manages incident handling
Auditor AU Read-only access to reports and system data.

Role Assignment Strategy

Roles can be assigned in two ways.
  1. Direct Role Assignment: Roles are assigned directly to a user.
    Use this when:
    • Olny a few users exist
    • Roles are temporary
    • Testing or debugging access
  2. Group-Based Assignment (Recommended): Roles are assigned to groups, and users are added to those groups.
    Advantages:
    • Easier user management
    • Consistent permissions
    • Faster onboarding
    Example group structure:
    Groups
 ├── Super Administrators
 ├── System Administrators
 ├── Policy Managers
 ├── Incident Managers
 └── Auditors

Each group receives the corresponding realm role.

Assigning Roles Using Groups (Recommended)

  1. Open the Admin Console
    1. Log in to the Keycloak Admin Console.
    2. Select the correct Realm.
    3. Navigate to Groups.

    Check the following groups:

  2. Add Users to Groups
    1. Navigate to Users.
    2. Select the user.
    3. Click Groups tab.
    4. Search and select groups. Click Join.

    The user will automatically inherit the group role.

Role Assignment - Examples

User Group Assigned Role
Alice Super Administrators Admin
Bob System Administrators System Administrator
Maria Policy Managers Policy Manager
David Incident Managers Incident Manager
Eva Auditors Auditor

Security Considerations

Follow these security guidelines when assigning roles:

  • Only a limited number of users should have Super Administrator privileges.

  • Avoid assigning multiple high-privilege roles to the same user unless necessary.

  • Remove roles immediately when users change responsibilities.

  • Periodically review role assignments for compliance.

Regular audits of role assignments are recommended.

Verifying Assigned Roles

To confirm the role assignment:
  1. Click Users.
  2. Select the user.
  3. Click Role mapping.
Access Behaviour
Role Access Level
Super Administrator Full platform access
System Administrator Tenant configuration, user management, RBAC
Policy Manager Policy configuration and incident qualification
Incident Manager Incident handling and reporting
Auditor Read-only access

Future: Departmental Segmentation

The following roles may later require department-level restrictions:
  • Policy Manager
  • Incident Manager
Example structure:
Policy Managers
 ├── Finance
 ├── HR
 └── IT
Access filtering would be handled by:
  • group membership
  • user attributes
  • application-level permissions

Troubleshooting

  1. User Cannot Access a Feature
    Verify:
    • The correct role is assigned to the user.
    • The role appears under Role mapping in the user profile.
    • The user has logged out and logged in again.
  2. Role Not Visible
    Check:
    • The role exists under Realm Roles.
    • The administrator has sufficient permissions to assign roles.
  3. Permissions Still Missing
    In some cases the application caches authorization data. Ask the user to:
    • log out
    • clear session
    • log in again

Best Practices

  1. Use Groups Instead of Direct Roles: Group-based assignment simplifies administration.
  2. Limit Super Administrator Access: Only a minimal number of users should have this role.
  3. Assign One Primary Role Per User: Multiple roles should only be used when required.
  4. Periodically Review Access: Administrators should regularly review role assignments.