You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: authentication/Keycloak/README_FINE_GRAIN_PERMISSION.md
+19-20
Original file line number
Diff line number
Diff line change
@@ -31,7 +31,7 @@ ODM Decision Center allows to [manage users and groups from the Business console
31
31
The Groups and Users import can be done using an LDAP connection.
32
32
But, if the openId server also provides a SCIM server, then it can also be managed using a SCIM connection.
33
33
34
-
Keycloak server doesn't provide a SCIM server by default. But, it's possible to manage it using the following opensource contribution [https://github.com/Captain-P-Goldfish/scim-for-keycloak](https://github.com/Captain-P-Goldfish/scim-for-keycloak).
34
+
Keycloak does not provide a SCIM server off the shelf. But this feature can be added using the following open-source contribution:[https://github.com/Captain-P-Goldfish/scim-for-keycloak](https://github.com/Captain-P-Goldfish/scim-for-keycloak).
35
35
As the project [https://scim-for-keycloak.de/](https://scim-for-keycloak.de) will become Enterprise ready soon, this tutorial was performed using the last available open source version : kc-20-b1 for Keycloak 20.0.5.
36
36
37
37
# Deploy on OpenShift a custom Keycloak service with a SCIM Server
@@ -101,6 +101,8 @@ As the project [https://scim-for-keycloak.de/](https://scim-for-keycloak.de) wil
* Connection URL should be: ldap://ldap-service.\<OPENLDAP_PROJECT>.svc:389 (when OPENLDAP_PROJECT is the project in which OpenLdap has been deployed)
170
+
* Connection URL should be: ldap://ldap-service.\<OPENLDAP_PROJECT>.svc:389 (where OPENLDAP_PROJECT is the project in which OpenLdap has been deployed)
By default, the SCIM Groups and Users Endpoints require authentication.
273
275
276
+
Now, let us configure these endpoints to authorize authenticated users that have the rtsAdministrators role. In the ODM client application, we will use the client_credentials flow using the "service-account-odm" service account having assigned the rtsAdministrators role. We just have to configure authorization for the "Get" endpoint as the ODM SCIM Import is a read only mode and doesn't need the other endpoints (Create, Update, Delete).
274
277
275
278
276
279
277
-
Now, let's configure these endpoints to authorize authenticated users that have the rtsAdministrators role. In the ODM client application, we will use the client_credentials flow using the "service-account-odm" service account having assigned the rtsAdministrators role. We just have to configure authorization for the "Get" endpoint as the ODM SCIM Import is a read only mode and doesn't need the other endpoints (Create, Update, Delete).
278
-
279
280
- Select the **Resource Type** tab
280
281
- Click **Group** inside the table
281
282
- Select the **Authorization** sub-tab
@@ -363,7 +364,7 @@ The first step is to declare the groups of users that will be Decision Center Ad
Let's also assign the **rtsUsers** role to the **TaskAuditors** and **TaskUsers** groups. If you do not do this, users are not authorized to login into the Business Console.
367
+
Let us also assign the **rtsUsers** role to the **TaskAuditors** and **TaskUsers** groups. If you do not do this, users are not authorized to login into the Business Console.
367
368
368
369
- Select the **Manage > Groups** Tab
369
370
- Double-click on **TaskAuditors**
@@ -382,7 +383,7 @@ Let's also assign the **rtsUsers** role to the **TaskAuditors** and **TaskUsers*
382
383
383
384
- Log into the ODM Decision Center Business Console using the `cp4admin` user
384
385
- Select the **LIBRARY** tab
385
-
- Import the [Loan Validation Service](https://github.com/DecisionsDev/odm-for-container-getting-started/blob/master/Loan%20Validation%20Service.zip) and [Miniloan Service](https://github.com/DecisionsDev/odm-for-container-getting-started/blob/master/Miniloan%20Service.zip) projects
386
+
- Import the [Loan Validation Service](https://github.com/DecisionsDev/odm-for-container-getting-started/blob/master/Loan%20Validation%20Service.zip) and [Miniloan Service](https://github.com/DecisionsDev/odm-for-container-getting-started/blob/master/Miniloan%20Service.zip) projects if there are not already there.
386
387
387
388
388
389
@@ -392,7 +393,7 @@ Let's also assign the **rtsUsers** role to the **TaskAuditors** and **TaskUsers*
392
393
- Select the **Connection Settings** sub-tab
393
394
- Check the KEYCLOAK_SCIM connection status is green
394
395
- Select the **Groups** sub-tab
395
-
- Click the **Import Groups from directories** button
396
+
- Click the **Import Groups from directories**icon button
396
397
- Select the **TaskAuditors** and **TaskUsers** groups
397
398
- Click on the **Import groups and users** button
398
399
@@ -401,14 +402,14 @@ Let's also assign the **rtsUsers** role to the **TaskAuditors** and **TaskUsers*
401
402
## Set the project security
402
403
403
404
- Select the **Project Security** sub-tab
404
-
- Click on the **Edit decision service security**of the "Loan Validation Service" project
405
+
- Click on the pen icon next to the "Loan Validation Service" project (the text **Edit decision service security**gets displayed when hovering the mouse pointer over the icon)
405
406
- Below the Security section, select **Enforce Security**
406
407
- Below the Groups section, select the **TaskAuditors** group
407
408
- Click the **Done** button
408
409
409
410
410
411
411
-
- Click the **Edit decision service security**of the "Miniloan Service" project
412
+
- Click the the pen icon next to the "Miniloan Service" project (the text **Edit decision service security**gets displayed when hovering the mouse pointer over the icon)
412
413
- Below the Security section, select **Enforce Security**
413
414
- Below the Groups section, select the **TaskUsers** group
414
415
- Click the **Done** button
@@ -421,7 +422,7 @@ Let's also assign the **rtsUsers** role to the **TaskAuditors** and **TaskUsers*
421
422
- Click the "Log out" link
422
423
- Click the Keycloak Logout button
423
424
424
-
-Login with `user1`. Check that the **ADMINISTRATION** tab is not available
425
+
-Log in with `user1`. Check that the **ADMINISTRATION** tab is not available
425
426
- Click on **LIBRARY** tab, only the "Miniloan Service" project must be available
426
427
- Click on top-right `user1` link
427
428
- Select "Profile" link
@@ -439,13 +440,11 @@ Let's also assign the **rtsUsers** role to the **TaskAuditors** and **TaskUsers*
439
440
440
441
# Synchronize Decision Center when updating Keycloak
441
442
442
-
During the life of a project, common situation can happen like :
443
-
- a user is moving from a group to an other.
444
-
- a new user join a group
445
-
- a user left a group
446
-
- a user change of group
447
-
- ...
443
+
During the life of a project, the following can happen :
444
+
- a user moves from a group to an other,
445
+
- a user leaves a group,
446
+
- a new user joins a group, ...
447
+
448
+
All these changes are performed using the Keycloak dashboard and then reflected inside Decision Center, either manually using the Decision Center Synchronize button or using the automatic synchronization (scheduled every 2 hours by default).
448
449
449
-
All these operations are done using the Keycloak dashboard and are reflected on Decision Center. It can be done manually using the Decision Center Synchronize button or using the automatic synchronization happening by default every 2 hours.
450
-
451
-
You can change the frequency using the Decision Center JVM option: `-Dcom.ibm.rules.decisioncenter.ldap.sync.refresh.period=60000`. The value is expressed in milliseconds.
450
+
You can read more about configuring the automatic synchronization in the documentation page [Importing users and groups from LDAP directories](https://www.ibm.com/docs/en/odm/9.5.0?topic=ldap-importing-users-groups-from-directories).
0 commit comments