# AW Roles & Attributes {% hint style="success" %} #### Keycloak Custom Roles In this hands-on workshop, you'll learn how to create custom roles and attributes in Keycloak that establish the identity federation layer supporting PDC's data governance framework. We'll walk through designing Adventure Works - specific roles with detailed compliance attributes that create the foundation for audit trails, regulatory compliance, and business-aligned data access controls meeting GDPR, CCPA, and SOX requirements. By the end of this workshop, you will be able to: * Create custom business-specific roles in Keycloak for enterprise data governance * Design comprehensive role attributes that support regulatory compliance requirements * Implement audit-ready role structures for GDPR, CCPA, LGPD, and SOX compliance * Configure role-based access controls that align with business functions and data domains * Establish retention policies and access levels through role attributes * Build the identity foundation that integrates with PDC's data governance capabilities * Create scalable role architectures for complex organizational compliance needs **Workshop Role Structure:** You'll create and configure roles including: * `aw-system-administrator` with full governance oversight and permanent retention * `aw-datasource-administrator` with full data source access * `aw-data-steward` with cross-domain quality oversight and 7-year retention * `aw-sales-manager` with sales analytics access and customer relationship compliance * `aw-hr-manager` with employee data access and employment law compliance This workshop establishes the critical "WHO" component with detailed attributes that enable PDC to make sophisticated "WHAT" decisions about data access based on compliance scope, business function, and audit requirements. {% endhint %}

{% hint style="info" %} Keycloak custom role attributes are powerful metadata fields that enable sophisticated authorization logic and fine-grained access control. {% endhint %} *** 1. Log into Keycloak: {% embed url="" %} Link to Keycloak Admin {% endembed %} Username: admin Password: admin {% hint style="danger" %} Ensure you select the Pentaho Data Catalog Realm. {% endhint %} 1. Select: Realm Roles: 2. Enter the following: Role name: aw-system-administrator Description: Adventure Works enterprise data governance with full technical compliance oversight.

3. Click Save. 4. Click on Attributes. {% hint style="warning" %} The attributes are not 'leveraged' in this implementation. The AW Roles are going to be 'mapped' {% endhint %}

5. Add the following attributes: **aw-system-administrator** | Key | Value | | ------------------- | --------------------- | | business\_function | system\_administrator | | compliance\_scope | techical\_custodian | | data\_access\_level | all\_permissions | | emergency\_access | enabled | | data\_domains | all\_adventureworks |

Keycloak Role Attributes in PDC

**Role attributes are metadata key-value pairs attached to Keycloak roles that enable sophisticated, policy-driven authorization beyond simple role names.** Instead of just checking "does user have data-steward role?", PDC can now ask "does this data steward have authority for confidential data in North America during business hours?" **Role attributes transform static permissions into intelligent, context-aware policies.** They allow PDC to enforce complex business rules like data classification levels, geographic restrictions, time-based access, approval workflows, and compliance requirements—all without hardcoding logic into the application. #### Adventure Works Example Consider Sarah Johnson, a Sales Manager at Adventure Works: ```json { "name": "adventureworks-sales-manager", "attributes": { "data_classification_access": ["public", "internal", "confidential"], "geographic_scope": ["north-america"], "department_access": ["sales", "marketing"], "business_hours_only": ["true"], "approval_authority_level": ["2"], "can_modify_business_terms": ["true"] } } ``` **When Sarah logs into PDC, these attributes automatically determine that she can:** * Access confidential customer data (but not restricted financial projections) * View sales and marketing data sources in North America only * Curate business glossary terms for her department * Approve data access requests up to level 2 * Only access the system during business hours (9-5 EST) **The JWT token carries these attributes, enabling PDC to make real-time authorization decisions:** "Can Sarah access the European customer database at 10 PM?" → No (geographic scope + time restrictions). "Can she approve a contractor's request for internal sales data?" → Yes (approval authority level 2, internal classification). **This approach eliminates complex authorization code, centralizes business rules in Keycloak, enables compliance automation, and scales effortlessly as Adventure Works grows across regions and departments.**

6. Click: Save {% hint style="info" %} PDC can read these attributes from JWT tokens to make fine-grained authorization decisions. The compliance\_scope attribute enables jurisdiction-specific access controls, while audit\_category supports automated compliance reporting. {% endhint %} 7. Repeat to create the roles and add the attributes: {% tabs %} {% tab title="aw-sales-analyst" %} {% hint style="info" %} #### AW Sales Analyst A Sales Analyst leverages the AdventureWorks2022 database to extract, analyze, and interpret sales performance data to drive business insights and strategic decision-making. This role involves querying and analyzing data from the Sales schema, including customer transactions, order details, sales territories, and product performance metrics to identify trends, forecast revenue, and evaluate sales effectiveness. The Sales Analyst creates reports and dashboards that track key performance indicators such as sales growth, customer acquisition, product profitability, and regional performance, while collaborating with sales leadership to translate data findings into actionable recommendations. They also conduct comparative analyses across time periods and territories, investigate anomalies in sales patterns, and support pricing and promotional strategies by analyzing historical data and market trends within the AdventureWorks catalog. {% endhint %} 1. Click: Create role 2. Enter: Role name: aw-sales-analyst 3. Description: Adventure Works sales data analysis and customer insights.

Key	Value
business_function	sales_analytics
compliance_scope	gdpr_legitimate_interest,ccpa_business_purpose
data_access_level	sales_domain_only
audit_category	business_analytics
retention_policy	7_years_customer_relationship
data_domains	sales,customer,product_catalog

{% endtab %} {% tab title="aw-hr-specialist" %} {% hint style="info" %} #### HR Specialist An HR Specialist utilizes the AdventureWorks2022 database to manage and analyze employee-related data, supporting strategic workforce planning and human resources operations. This role involves working with data from the HumanResources schema, including employee demographics, organizational hierarchies, department structures, job titles, compensation records, and employment history to track workforce metrics and ensure accurate personnel recordkeeping. The HR Specialist generates reports on headcount, turnover rates, compensation analysis, and departmental staffing levels, while maintaining data privacy and compliance with employment regulations. They collaborate with department managers to support recruitment needs, analyze workforce trends, conduct pay equity assessments, and provide data-driven insights that inform talent management strategies, succession planning, and organizational development initiatives within the AdventureWorks catalog. {% endhint %} 1. Click: Create role 2. Enter: Role name: aw-hr-specialist 3. Description: Adventure Works human resources data management and analytics.

Key	Value
business_function	human_resources
compliance_scope	gdpr_employment_data,employment_law
data_access_level	hr_domain_only
audit_category	employee_management
retention_policy	30_years_employment_law
data_domains	human_resources,employee_personal_data
special_categories	gdpr_article_9_employment

{% endtab %} {% tab title="aw-compliance-officer" %} {% hint style="info" %} #### AW Compliance Officer A Compliance Officer ensures that data management practices within the AdventureWorks2022 database adhere to regulatory requirements, industry standards, and internal policies governing data privacy, security, and ethical use. This role involves monitoring data handling procedures across Sales, HumanResources, Production, and Purchasing schemas to ensure compliance with regulations such as GDPR, CCPA, and employment laws, while conducting regular audits to verify data integrity and proper access controls. The Compliance Officer establishes and enforces data governance frameworks, reviews data retention and deletion policies, investigates potential compliance breaches, and maintains comprehensive audit trails for regulatory reporting purposes. They collaborate with Data Stewards, IT security teams, and legal counsel to assess compliance risks, implement corrective measures when violations occur, and provide training to employees on data handling best practices, ensuring the organization maintains regulatory compliance and protects sensitive information throughout the AdventureWorks catalog. {% endhint %} 1. Click: Create role 2. Enter: Role name: aw-compliance-officer 3. Description: Adventure Works regulatory compliance monitoring and audit management.

Key	Value
business_function	regulatory_compliance
compliance_scope	gdpr,ccpa,lgpd,sox,pci_dss
data_access_level	audit_read_only
audit_category	compliance_oversight
retention_policy	regulatory_audit_requirements
data_domains	all_domains_audit_access
special_permissions	data_subject_rights,breach_investigation

{% endtab %} {% tab title="aw-data-steward" %} {% hint style="info" %} #### AW Data Steward An AdventureWorks Data Steward is responsible for ensuring the quality, integrity, and proper governance of data within the AdventureWorks2022 database catalog. This role involves defining and enforcing data standards, maintaining metadata documentation for tables such as Sales, Production, Human Resources, and Purchasing schemas, and establishing clear data definitions and business glossaries that align with organizational needs. The Data Steward acts as a liaison between technical teams and business users, resolving data quality issues, managing access permissions, and ensuring compliance with data policies. They also oversee data lineage tracking, coordinate data remediation efforts when inconsistencies arise, and facilitate the discoverability and understanding of AdventureWorks datasets to enable effective decision-making across the organization. {% endhint %} 1. Click: Create role 2. Enter: Role name: aw-data-steward 3. Description: Adventure Works cross-domain data quality and governance oversight.

Key	Value
business_function	data_stewardship
compliance_scope	gdpr,ccpa,data_quality
data_access_level	metadata_governance
audit_category	stewardship
retention_policy	7_years_governance

{% endtab %} {% tab title="aw-system-administrator" %} {% hint style="info" %} #### AW System Administrator A System Administrator is responsible for the technical infrastructure, performance, and availability of the AdventureWorks2022 database environment within the data catalog ecosystem. This role involves managing database server configurations, implementing backup and disaster recovery procedures, monitoring system performance and resource utilization, and ensuring optimal query execution across all schemas including Sales, Production, HumanResources, and Purchasing. The System Administrator handles user account provisioning, configures role-based access controls and security permissions, applies software patches and updates, and troubleshoots technical issues to maintain database uptime and reliability. They work closely with Data Stewards and developers to optimize database performance through index management and query tuning, implement data integration pipelines connecting AdventureWorks to the data catalog platform, and maintain comprehensive system documentation including architecture diagrams, configuration standards, and incident response procedures to ensure the database infrastructure remains secure, scalable, and accessible to authorized users. {% endhint %} 1. Click: Create role 2. Enter: Role name: aw-system-administrator 3. Description: Adventure Works cross-domain data quality and governance oversight

Key	Value
business_function	system_administration
compliance_scope	techical_custodian
data_access_level	all_permissions
emergency_access	enabled
data_domains	all_adventureworks

{% endtab %} {% tab title="aw-database-administrator" %} {% hint style="info" %} #### AW Datasource Administrator A data source administrator (DSA) is responsible for the performance, integrity, and security of an organization's data sources. Their core duties include installing and configuring data source systems, monitoring performance and optimizing queries, implementing backup and recovery strategies, managing user access and permissions, and ensuring data security through proper authentication and encryption protocols. DSAs also plan for capacity and scalability, troubleshoot issues, apply patches and updates, and maintain documentation of database structures and procedures. In the context of systems like AdventureWorks2022, a DBA would ensure the database remains available, performs efficiently for catalog operations, and that data remains accurate and protected from unauthorized access or loss. {% endhint %} 1. Click: Create role 2. Enter: Role name: aw-datasource-administrator 3. Description: Adventure Works data source administrators who are responsible for the performance, integrity, and security of an organization's data sources.

Key	Value
business_function	datasource_administration
compliance_scope	techical_custodian
data_access_level	admin
allowed_databases	adventureworks2022

{% endtab %} {% endtabs %} {% hint style="info" %} Quick recap: We've now created our AW Groups that map to the structure of the business units. Created Custom Roles with Attributes, so for example - once we've completed the next activity - when Sarah joins as a Sales Analyst, we just add her to the Sales\_Analysts group and she automatically gets all the necessary permissions. No individual role management needed. {% endhint %}

*** {% hint style="warning" %} ### Role Attribute Suggestions: So what's missing? * HR\_Managers * Sales\_Managers You should assign appropriate roles to HR\_Managers and Sales\_Managers groups to complete your role structure. {% endhint %} #### **aw-sales-manager** (new role): ```json { "compliance_scope": ["gdpr_legitimate_interest", "ccpa_business_purpose"], "data_domains": ["sales", "customer", "product_catalog", "revenue_analytics"], "data_access_level": ["sales_management_oversight"], "retention_policy": ["7_years_customer_relationship"], "business_function": ["sales_management"], "audit_category": ["management_analytics"], "special_permissions": ["team_performance", "revenue_forecasting"] } ``` #### **aw-hr-manager** (new role): ```json { "compliance_scope": ["gdpr_employment_data", "employment_law"], "data_domains": ["human_resources", "employee_personal_data", "performance_data"], "data_access_level": ["hr_management_oversight"], "retention_policy": ["30_years_employment_law"], "business_function": ["human_resources_management"], "audit_category": ["employee_management"], "special_permissions": ["performance_reviews", "compensation_management"] } ``` ***