Roles and groups#
Assigning access and permissions for a user is a time consuming process. For an enterprise of hundreds or thousands of users, this would be too time consuming for an IT administrator to realistically perform.
Don’t worry! Data Science & AI Workbench lets you utilize roles and groups within Keycloak to take this impossible task and break it down into a manageable workflow. But before you begin creating groups and assigning roles to them, you should understand exactly what each provides you with as an IT administrator.
Roles#
Roles determine the level of access a user has within Anaconda. Some custom roles have been embedded into Keycloak to provide users with varying levels of access to the software’s available features.
ae-admin - provides the user with full access to the platform and the administrative console
ae-creator - allows the user to create new projects
ae-deployer - allows the user to create new deployments from projects
ae-uploader - allows the user to upload packages
If the default Anaconda roles do not suit your use case, you can create a custom role for your users.
Groups#
The most important idea to understand about groups is that any permissions that can be granted to an individual by assigning them a role can also be granted to multiple people by assigning the role to a group.
To get you started, Anaconda provides a set of default groups with different roles mapped for each. You can use these defaults as is, or as an example for creating your own groups.
The groups provided by anaconda are structured as follows:
- admins
- Roles:
ae-admin
- developers
- Roles:
ae-deployer
ae-uploader
ae-creator
- everyone
- Roles:
none
- managers
- Roles:
none
- product managers
- Roles:
ae-deployer
ae-uploader
ae-creator
Managing roles and groups#
For Workbench customers, Anaconda has several possible user personas. IT administrators, Business Analysts, Data Scientists, Dev Ops Engineers, and Data Engineers all benefit from using Workbench, but each persona also has different needs based on their work.
You can give every one of your users exactly what they need by using roles and groups!
As stated before, Anaconda utilizes Keycloak to manage roles and groups. This includes:
Viewing available roles and groups
Creating new roles
Creating new groups
Assigning roles to groups
Configuring the default groups
Configuring the default roles
To access Keycloak:
Log in to Workbench.
Navigate to the Admin Console.
Select Manage Users to access the Keycloak user interface (UI).
Log in using your Keycloak admin account credentials.
Note
Verify that you are working on the AnacondaPlatform realm when working with roles and groups for Workbench.
Viewing roles and groups#
Roles
Use the left-hand navigation to view Realm roles at any time.
Groups
Likewise, use the left-hand navigation to view Groups at any time. If you are importing groups from an external identity server (such as LDAP or Active Directory), you will be able to view your imported groups here.
Creating custom roles#
To create a custom role for use in Anaconda:
Assigning permissions for custom roles#
Custom roles do not grant permissions upon creation. You must define the permissions for your custom role in your anaconda-enterprise-anaconda-platform.yml
config map file.
Assign permissions to your custom role by completing the following steps:
Navigate to your Kubernetes cluster admin UI, or access your cluster using
kubectl
commands at the CLI.Find your
anaconda-enterprise-anaconda-platform.yml
config map file.Create and save a copy of this file before you begin assigning permissions for your custom role.
Caution
The changes you’re about to make will impact how Workbench functions. The backup you’ve just created is a failsafe, in case you need to restore the previous configurations.
Open your
anaconda-enterprise-anaconda-platform.yml
config map file.Locate the following sections of the file and add your role as needed to assign the correct level of permissions:
admin: users:
- Add your role here to provide it with full access to the platform and the administrative console.deploy: deployers:
- Add your role here to allow it to create deployments from projects.workspace: users:
- Add your role here to allow it to open project sessions.storage: creators:
- Add your role here to allow it to create projects.repository: uploaders:
- Add your role here to allow it to upload packages to the Workbench repository.
Note
Roles listed in the
admin: users:
section of theanaconda-enterprise-anaconda-platform.yml
file must also be listed in each instance ofsuperusers:
and inui: admin-links: admin: acl:
to grant administrator level permissions.
Creating groups#
You can create as many groups as your organization needs. To create a new group, complete the following steps:
Assigning roles to groups#
Assigning a role to a group provides all group members with the permissions granted by the role. To assign a role to a group, complete the following steps:
Default roles and groups#
Roles
Default roles allow you to automatically assign user role mappings whenever a user is newly created or imported. By default, Workbench assigns the following roles to newly created and imported users:
ae-deployer
ae-uploader
ae-creator
offline_access
uma_authorization
You can disable these roles, if necessary, with the exception of the offline_access
and uma_authorization
roles. These are system configuration requirements.
To assign default roles, complete the following steps:
Select Realm settings from the left-hand navigation.
Select the User registration tab.
Select the Default roles tab.
Click Assign role.
Select the roles you would like to assign users by default, then click Assign.
Groups
Default groups allow you to automatically assign group membership whenever a new user is created or imported. By default, Anaconda adds all new users to the everyone group.
To assign default groups, complete the following steps:
Select Realm settings from the left-hand navigation.
Select the User registration tab.
Select the Default groups tab.
Click Add groups.
Select the groups you would like to add users to by default, then click Add.