Create an user and setup is access rights

Description

In this tutorial you will learn how to create a new user and define its access on OnSphere.

We will:

  • add a new example user

  • configure new user with an initial mysuperpassword password

  • configure new user so that it has to change its default password on the first login

  • add a new collaborator group

  • configure new example user to be part of new collaborator group

  • configure new collaborator group to authorize it to access the collaborator dashboard

Steps

1. Initial setup

git pull
git merge origin/osp-web-configuration

2. Create the group

With the configuration

  1. Open the /modules/keycloak/keycloak-1/groups.keycloak file

  2. Create the new group:

{
    "groups": [
        {
            "attributes": {},
            "clientRoles": {},
            "name": "collaborator",
            "path": "/collaborator",
            "realmRoles": [],
            "subGroups": []
        }
    ]
}

With the front-end

  1. Connect to Keycloak

  • With the administrator

  1. Access the Keycloak administration console https://{stack_ip}:{stack_port}/auth/admin (for example https://stack-1.onsphere.local:5000/auth/admin)

  2. Login to Keycloak administration console using administration user and password configured when the stack was deployed (see System security)

  • With a user member of the administrator or user-management group

  1. Access the OnSphere front-end https://{stack_ip}:{stack_port}/ (for example https://stack-1.onsphere.local:5000/)

  2. On the side menu click on the Manage users button !

../../_images/manageUsers.png

  1. Go to the Groups tab under Manage category

  2. Click on New

  3. Enter the group name collaborator and click Save

3. Map the group to OnSphere

  1. Open the /modules/rights/rights/rights.module file

  2. Create the new mapping for the collaborators and admin:

{
    "messagingConfiguration": {
        "clientId": "osp-rights",
        "host": "rabbit"
    },
    "groups": [
        {
            "name": "all",
            "description": "Access all value",
            "externalLink": [
                "data-access",
                "configuration-management"
            ]
        },
        {
            "name": "collaborator",
            "description": "",
            "externalLink": [
                "collaborator"
            ]
        },
        {
            "name": "admin",
            "description": "",
            "externalLink": [
                "administrator"
            ]
        }
    ]
}

Warning

By default the externalLink used the name of the group as it’s identifier.

It is possible to change this behavior to use the full path by editing the realm.keycloak available on the osp-keycloak-advanced-configuration branch.

The protocolMappers named User groups need to be edited to change config.full.path to true. There are two of them by default.

4. Create the user

With the configuration

  1. Open the /modules/keycloak/keycloak-1/users.keycloak file

  2. Create the new user:

{
  "users": [
    {
      "enabled": true,
      "groups": [
        "/collaborator"
      ],
      "username": "example",
      "email": "example@localhost",
      "firstName": "example",
      "lastName": "example",
      "credentials": [
        {
          "initial": true,
          "temporary": true,
          "type": "password",
          "value": "mysuperpassword"
        }
      ],
      "attributes": {
        "authorizedKeys": [],
        "apiKey": "simple-api-key"
      }
    }
  ]
}

With the front-end

  1. Connect to Keycloak

  • With the administrator

  1. Access the Keycloak administration console https://{stack_ip}:{stack_port}/auth/admin (for example https://stack-1.onsphere.local:5000/auth/admin)

  2. Login to Keycloak administration console using administration user and password configured when the stack was deployed (see System security)

  • With a user member of the administrator or user-management group

  1. Access the OnSphere front-end https://{stack_ip}:{stack_port}/ (for example https://stack-1.onsphere.local:5000/)

  2. On the side menu click on the Manage users button !

    ../../_images/manageUsers.png

  3. Go to the Users tab under Manage category

  4. Click on Add user

  5. Enter a username and click Save

  6. Go to the Credentials tab

  7. Define a password for the user and click Set Password

  8. Go to the Groups tab

  9. In the Available groups panel, select the group collaborator and click Join

5. Create the dashboard and the access file

_root/examples/dashboard/admin/dashboard.view_

{
    "configuration": [
    ],
    "layout": {
        "lg": []
    }
}

_root/examples/dashboard/admin/dashboard.web_

{
    "moduleId": "modules.web.web-1",
    "title": "Admin dashboard",
    "description": "Admin dashboard",
    "tags": ["Admin"]
}

_root/examples/dashboard/admin/access.rights_

{
    "moduleId": "modules.rights.rights",
    "write": {
        "override": [
            "admin"
        ]
    },
    "read": {
        "override": [
            "admin"
        ]
    }
}

_root/examples/dashboard/collaborator/dashboard.view_

{
    "configuration": [
    ],
    "layout": {
        "lg": []
    }
}

_root/examples/dashboard/collaborator/dashboard.web_

{
    "moduleId": "modules.web.web-1",
    "title": "collaborator dashboard",
    "description": "collaborator dashboard",
    "tags": ["collaborator"]
}

_root/examples/dashboard/collaborator/access.rights_

{
    "moduleId": "modules.rights.rights",
    "write": {
        "override": [
            "collaborator"
        ]
    },
    "read": {
        "override": [
            "collaborator"
        ]
    }
}

6. Push the new configuration

git add .
git commit -m "Creating new user with access"
git pull
git push

7. Connect on OnSphere with the new user

../../_images/new-user-login.png ../../_images/new-user-change.png ../../_images/new-user-dashboard.png