User Access Control

User Management With KeyCloak

KeyCloak is an un-opinionated and general purpose tool and allows many different general purpose entities. These entities can be mixed and matched to fit specific organizational structures.

WiMetrix uses KeyCloak to facilitate user authentication and authorization.

We enforce Role-Based Access Control (RBAC) by combining Roles, Groups, and Users.

Read on below to understand how everything works.

Terminology

Role

A specific and narrow permission. Usually maps with an action to be performed

• Examples: (order:po:get, packing:blueprint:delete, packing:pack_job:assign, spts:customer:get)
• It is possible to create composite roles that combine several other roles into a super role

Group

A user type or an organization role

• As the name suggest, groups combine many permissions(Roles) under a single name
• Assign one or many Roles to each Group

User

A user that belongs to the organization. Can be either an admin or a regular user

• Can be assigned one or more Groups
• A user with an assigned groups inherits all the Roles assigned to the group
• Roles can also be mapped to Users directly for fine-grained control
  • This should be avoided to keep access control flow simple

Admin User

Any User that has access to the admin portal. Admin users can add, update, and manage access for other users.

It is recommended to disallow Admin Users from signing in to applications. This keeps the separation between regular users and admins well-defined. The simplest way to achieve this is to not assign any Role or Group to admin users

Access Scope

Access scopes define fine-grained data access control by associating a user with specific entities

The different access scopes are defined below:

• Sections: The sections the user can access
• Companies: The companies the user can access
  • Can be further divided into Branches
  • Branches: The branches the user can access
    • Can be further divided into Lines and Pack Stations
    • Lines: The lines the user can access
    • Pack Stations: The pack stations the user can access

Key Points about Access Scopes:

• Each user can be associated with one or more access scopes.
• Access scopes enable precise control over the data available to each user.
• A user can have access to multiple companies, branches, lines, sections, and pack stations as needed.

Roles VS. Access Scopes

When managing access, it’s important to understand the difference between Roles and Access Scopes.

• Role: Determines whether a user can access a specific resource, such as a dashboard.
• Access Scopes: Define the specific data a user can view from certain Companies, Branches, or Lines.

A role might allow access to a dashboard, but access scopes will limit the user to viewing only data relevant to specific entities.

User Management

To manage users via the REST API, user must have manage-users client role.

The role is assigned to the admin user group, and can be assigned to other groups as needed.

The users with this permission can add, update, or delete the users in SooperWizer web application.

Flow

1. Navigate to the Users tab in the sidebar
   • Existing users can be viewed, updated, and deleted
   • New users can be created
   • User details page shows the information and access for users
2. View the user information and access by clicking on the Details button from the user’s row in the table
3. Delete a user by clicking on the Delete button from the user’s row in the table
4. Add a user by clicking the Add button
5. Update a user by clicking on the Edit button from the user’s row in the table

Add / Update Flow

1. Fill in user information
   • Username: Must be unique and cannot contain spaces
   • Enabled: If unchecked, the user will not be able to login
   • First name: The first name of the user
   • Last name (optional): The last name of the user
   • Password: The user’s password
     • The password and confirmation fields must match
     • For new users, the password fields are required
     • For existing users, password is updated if the password fields are filled in
2. Assign groups to the user to give access to resources
   • The user can be assigned to multiple groups
3. Set the user’s access scopes
4. Click the Submit button to create the add/update users

Access Scope Select All

While assigning access scopes to user, the select all checkbox can be in three states. Each state indicates a different level of access to the user for the entity.

Checked: Means the user has access to current entity and all its children entities(if any).

Indeterminate: Means the user has access to current entity and some of its children entities but not all of them.

Unchecked: Means the user has no access to the current entity or any of its children entities.

In addition to select all, Company and Branch can also be selected individually. Assigning only a Company or Branch to the user will give them access to data scoped only to that entity, but not its children.

The accordion containers for each access scope (Groups, Sections, Companies, Branches, Lines, And Pack Stations) are also colored to show the current selection status of that entity. The colors are:

purple

The entity is selected, but no any of its children

green

The entity and all its children are selected

yellow

The entity and some of its children are selected

gray

The entity is unselected

Screenshots