# AW Groups

{% hint style="success" %}

#### Keycloak Groups

In this hands-on workshop, you'll learn how to create scalable organizational structures using Keycloak Groups to represent the Adventure Works company hierarchy. We'll walk through building hierarchical groups where users automatically inherit roles and permissions based on their organizational membership, demonstrating how proper group structure makes user management scalable across enterprise environments.

By the end of this workshop, you will be able to:

* Create hierarchical group structures in Keycloak that mirror organizational charts
* Implement scalable user management through group-based role inheritance
* Configure parent-child group relationships for complex organizational hierarchies
* Build the foundational "WHO" component of enterprise identity management
* Design group structures that automatically assign permissions when users join teams
* Create sustainable user provisioning workflows for large organizations

**Workshop Structure:** You'll create the complete Adventure Works organizational hierarchy including:

* AdventureWorks\_Organization (root)
* Sales\_Division with Sales\_Managers and Sales\_Analysts
* HR\_Division with HR\_Managers and HR\_Specialists
* Data\_Governance with Data\_Stewards and Compliance\_Officers
* IT\_Operations with System\_Administrators and Datasource\_Administrators

This workshop establishes the organizational foundation that enables automatic permission inheritance—when someone joins the Sales team, they simply get added to the Sales group and automatically receive all sales-related permissions without manual role assignment.
{% endhint %}

<figure><img src="/files/iM1g3D2o9JLUZBMNDvis" alt=""><figcaption><p>Adventure Works Groups</p></figcaption></figure>

***

{% hint style="info" %}

#### Data Catalog Realm

A Realm in Keycloak is an isolated administrative domain that manages a complete set of users, credentials, roles, and groups. Think of it as a tenant or security boundary that contains everything needed to authenticate and authorize users for a specific organization or application.

PDC is already configured to authenticate against this realm. The client / realm configuration, mappers, and authentication flows are already set up.
{% endhint %}

| Organization                 | Business Unit    | Business Groups                                   |
| ---------------------------- | ---------------- | ------------------------------------------------- |
| AdventureWorks\_Organization | Sales\_Division  | Sales\_Managers  Sales\_Analysts                  |
|                              | HR\_Division     | <p>HR\_Managers</p><p>HR\_Specialist</p>          |
|                              | Data\_Governance | Data\_Stewards Compliance\_Officers               |
|                              | IT\_Operations   | System\_Administrators Datasource\_Administrators |

1. Log into Keycloak:

{% embed url="<https://pdc.pentaho.lab/keycloak/admin>" %}
Link to Keycloak Admin
{% endembed %}

Username: admin

Password: admin

{% hint style="danger" %}
Ensure you select the Pentaho Data Catalog Realm.
{% endhint %}

1. Select: Groups > Create Group:

<figure><img src="/files/IiDqkdzw9OkRRxzsqQBl" alt=""><figcaption><p>Create a Group</p></figcaption></figure>

2. Enter Name: AdventureWorks\_Organization

<figure><img src="/files/9qF2XPRfcpZ7FUsOpM33" alt=""><figcaption></figcaption></figure>

3. Click: Save
4. Select: "AdventureWorks\_Organization"
5. Click on the dots to the right: "Create child group"

<figure><img src="/files/gpc6jzKpHumrPVK6952O" alt=""><figcaption><p>Create a Child Group</p></figcaption></figure>

6. Enter the Name: "Sales\_Division".
7. Repeat the workflow to create the other Adventure Works groups.

<figure><img src="/files/46WXpXQClSfGxafokKRc" alt=""><figcaption><p>AdventureWorks_Organization</p></figcaption></figure>

8. Then repeat again for each child 'Business Unit' - refer to the table at the top:

<figure><img src="/files/Cr6Tw64avMzj9hnoER7I" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
With the Adventure Works organization business units now mapped into Keycloak, we can now turn our attention to Roles & Attributes.
{% endhint %}

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://academy.pentaho.com/pentaho-data-catalog-en/data-catalog/aw-organization/aw-groups.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.