The platform's dataspace concept in Keycloak
Keycloak manages access to dataspaces using Realms, Clients, Roles, Permissions, Users, and Groups. Each dataspace is represented by specific roles in Keycloak, and access is managed through role assignments for users or groups.
How the Platform's Dataspace Concept Maps to Keycloak
- Realm: A "top-level container" that holds all users, roles, groups, and permissions for the platform. Each realm is independent (currently one platform is supported).
- Client: Represents any platform component that interacts with Keycloak to authenticate users and check their roles within a specific dataspace.
- Realm Role: A role that applies across all clients within a realm, not specific to individual dataspaces.
- Client Role: A client-specific role applied to control access to resources within a specific dataspace.
- Composite Role: A role aggregating other roles (both realm roles and client roles), allowing complex hierarchies.
- User: An entity authenticated and authorized to access platform resources. Users are assigned roles within dataspaces, directly or through group memberships.
- Group: A collection of users. Assigning roles to a group grants all users within that group the assigned roles for the corresponding dataspace.
- Role Mapping: Assigning roles to users or groups, allowing dataspace-specific roles to control access.
This mapping is illustrated in the following image by using the same color for matching objects.
Setting Up Dataspaces in Keycloak
To configurate the platform's dataspace concept in Keycloak, create a group for each dataspace.
For more information about how to create roles (realm and client roles) and assign them to users and groups, please refer to the Admin Guide.