User management by Keycloak

Use the Keycloak for access control management. Key definitions:

  • A set of available roles with descriptions is given in the table.
Create/Update Instrument/Pricer/Hedger/RiskLimits + - - + -
Start Instrument/Pricer/Hedger + - + - -
Start/Stop all + - + - -
Delete Instrument + - - + -
Create/Update Risk Configuration - + - - -
Create/Update Currency/RiskLimits/Hedger - + - - -
Start/Stop Risk Rule Hedger - + + - -
Delete Risk Rule - + - - -
Create/Update/Delete Alert rule + + + + -
Universe Configurator Editor role - - - - +
  • There are no read/view restrictions in the system.

  • All roles are added during deployment.

Add a New User

  • Login into the Keycloak Administration Console using the password KEYCLOAK_PASSWORD in the .env file or keycloak_password in the Terraform. If the password was changed in Keycloak Master Realm after the deployment, then use it when logging in.
  • Please check what realm is chosen at the moment (top left corner). If it’s MarketMaker, you will create or amend MM users, if Master - Keycloak users, which have access to Administrative Console only.

  • Click the Manage->Users link to open the users list page and click View all users button near the Search text box. You should see list of already existing users in the system.
  • Click the Add user button.

  • On the Add user page you should specify appropriate user information and click Save button (field Username is mandatory).

  • Click the Credentials tab. Type a password in the Password field and repeat it in the Password Confirmation field. To avoid changing password on first login set Temporary selector to OFF and click Set Password to set the password for the new user.

Assigning roles to the user

  • Click the Role Mappings tab. Find necessary role in Available Roles and click Add selected button to add this role to user.

  • Look at Assigned Roles section and make sure that the role has been added.

  • To delete a selected role assigned to a user you need to find necessary role in Assigned Roles and click Remove selected button.

  • This role will only be available to the user when logging in again. So, it is necessary to log out and log in for the specified user.