User management¶
Admin console¶
To access to the Keycloak administration area, you must have the ** "caascad-keycloak-users-admin" ** role and use this URL:
https://keycloak.ZONE_NAME.caascad.com/auth/admin/ZONE_NAME-client/console/
From this console, you can manage all of your existing users, add new ones, create user groups and assign them roles on the Caascad platform tools.
Add a new user¶
- Click on "Users" to view users list.
- Click on "Add user".
- Fill in user informations.
- If you want to set up double authentication for your users, select "Required User Actions" then "Configure OTP"
- Click on "Save" to finalize the creation of the user account. Once it is created, the user will be able to follow the first login procedure .
Create a user group¶
- Click on "Groups" to view the list of user groups.
- User groups are hierarchical, you can either create a new group without parent group by clicking directly on "New", or select an existing group and click on "New" to create a sub-group.
- Fill in the group name and click "Save".
Manage user's groups¶
- Click on "Users" to view users list.
- Click on "Edit" to the right of the user to modify (You can use the search to find the user in the list)
- Click on "Groups". You will then have a view of the groups that the user is a member of and those that are available.
- You can then select a group and click on "Join" to add the user to it or "Leave" to remove it.
Assign a role to a user group¶
It is possible to assign roles directly to each user or to assign them to groups in which you assign users. For ease of administration and maintenance of your Caascad user base, we recommend that you use groups.
- Click on "Groups" to view the list of user groups.
- Select the group to modify and click on "Edit".
- Click on "Role Mapping". You will then have the list of the roles assigned to this group (Assigned Roles) and the available roles (Available Roles). ** The groups are hierarchical so they will automatically inherit the roles assigned to their parent groups. You can see all assigned and inherited roles in the "Effective Roles" section **
- Select a role (or several while keeping the ctrl key pressed) then click on "Add selected" to add the role to the group or on "Remove selected" to remove it.
Caascad roles¶
Global roles¶
We provide global roles that gives consistent access to Caascad applications. Theses roles are a combination of fine grained roles described in the next section.
| Role | Description |
|---|---|
caascad-maintainer |
Devops role on all clusters + Keycloak user administration |
caascad-devops |
Write access on all platform tools. This is a combination of caascad-rancher-admin, caascad-concourse-member, caascad-vault-k8s-secrets roles |
caascad-guest |
Read access on all platform tools. This is a combination of caascad-rancher-viewer, caascad-concourse-viewer roles |
caascad-devops-ZONE_NAME |
Same as caascad-devops but limited to ZONE_NAME |
caascad-guest-ZONE_NAME |
Same as caascad-guest but limited to ZONE_NAME |
Fine grained roles¶
| Role | Description |
|---|---|
caascad-keycloak-users-admin |
Administrator access for Keycloak users. Allows you to manage users, user groups and their respective roles |
caascad-rancher-admin |
Administrator access on Rancher on all clusters. Provides read and write access to all client Kubernetes clusters |
caascad-rancher-admin-ZONE_NAME |
Same as caascad-rancher-admin but limited to ZONE_NAME |
caascad-rancher-viewer |
Read access on Rancher. Provides read-only access to all client Kubernetes clusters |
caascad-rancher-viewer-ZONE_NAME |
Same as caascad-rancher-viewer but limited to ZONE_NAME |
caascad-concourse-member |
Member access to all Concourse teams. Provides read and write access to all Concourse teams |
caascad-concourse-member-ZONE_NAME |
Same as caascad-concourse-member but limited to ZONE_NAME |
caascad-concourse-operator |
Operator access for all Concourse teams. Allows you to view and trigger the pipelines of all the Concourse teams without the possibility of modifying them |
caascad-concourse-operator-ZONE_NAME |
Same as caascad-concourse-operator but limited to ZONE_NAME |
caascad-concourse-viewer |
Read access for all Concourse teams. Allows you to view the pipelines of all Concourse teams without the possibility of modifying or triggering them |
caascad-concourse-viewer-ZONE_NAME |
Same as caascad-concourse-viewer but limited to ZONE_NAME |
caascad-vault-k8s-secrets |
Write access to Vault k8s global and cluster scoped secrets |
caascad-vault-k8s-secrets-ZONE_NAME |
Same as caascad-vault-k8s-secrets but limited to ZONE_NAME secrets |