# AW Users

{% hint style="success" %}

#### Add AW Users

In this hands-on workshop, you'll learn how to create test users in Keycloak to validate your identity federation and community setup between Keycloak and PDC. We'll walk through adding Adventure Works employees across different organizational roles, setting up their credentials, and preparing them for group membership assignment that demonstrates the complete WHO + WHAT identity governance pipeline.

By the end of this workshop, you will be able to:

* Create enterprise users in Keycloak with proper organizational context
* Configure user credentials and authentication settings for testing scenarios
* Understand the difference between test user creation and production directory synchronization
* Prepare users for group membership assignment and role inheritance testing
* Establish realistic test scenarios that mirror production organizational structures
* Validate identity federation workflows with representative user personas
* Create the foundation for testing data governance access controls
  {% endhint %}

{% hint style="info" %}
**Workshop Test Users:** You'll create six key Adventure Works employees representing different organizational functions:

* **Sarah Johnson** - Sales Analyst (sales data access testing)
* **Michael Chen** - HR Specialist (employee data governance testing)
* **Elena Rodriguez** - Data Steward (cross-domain governance testing)
* **David Park** - Compliance Officer (regulatory oversight testing)
* **James Lock** - System Administrator (full administrative access testing)
* **Hugo Reilly** - Database Administrator (data source testing)
  {% endhint %}

<figure><img src="/files/zeLThMxuboqAWuSCd6D6" alt=""><figcaption><p>AW Organization - Roles</p></figcaption></figure>

{% hint style="info" %}
**Production Note:** In real enterprise environments, these users would automatically synchronize from your corporate directory (Active Directory/LDAP) rather than manual creation, but this workshop demonstrates the complete user lifecycle for testing and validation purposes.

This workshop establishes the user foundation needed to test your complete identity federation setup, ensuring that organizational roles properly translate into data access permissions through the Keycloak-to-PDC integration.
{% endhint %}

***

1. Log into Keycloak:

{% embed url="<https://pdc.pentaho.lab/keycloak/admin>" %}

Username: admin

Password: admin

{% hint style="danger" %}
Ensure you select the Pentaho Data Catalog Realm.
{% endhint %}

2. Select: Users > Add User

<figure><img src="/files/mv42mMw9Fp1ly6nU8K3S" alt=""><figcaption><p>Add AW Users</p></figcaption></figure>

3. Enter the following details to add AW users:

<table><thead><tr><th width="215">Group</th><th width="138">Username</th><th width="323">Email</th><th width="113">First Name</th><th width="109">Last Name</th><th>Email Verified</th></tr></thead><tbody><tr><td>Sales Analyst</td><td>sarah.johnson</td><td>sarah.johnson@adventureworks.com</td><td>Sarah</td><td>Johnson</td><td>ON</td></tr><tr><td>HR Specialist</td><td>michael.chen</td><td>michael.chen@adventureworks.com</td><td>Michael</td><td>Chen</td><td>ON</td></tr><tr><td>Data Steward</td><td>elena.rodriguez</td><td>elena.rodriguez@adventureworks.com</td><td>Elena</td><td>Rodriguez</td><td>ON</td></tr><tr><td>Compliance Officer</td><td>david.park</td><td>david.park@adventureworks.com</td><td>David</td><td>Park</td><td>ON</td></tr><tr><td>System Administrator</td><td>james.lock</td><td>james.lock@adventureworks.com</td><td>James</td><td>Lock</td><td>ON</td></tr><tr><td>Datasource Administrator</td><td>hugo.reilly</td><td>hugo.reilly@adventureworks.com</td><td>Hugo</td><td>Reilly</td><td>ON</td></tr></tbody></table>

<figure><img src="/files/TVW78NQpf9MqIkE9SKeg" alt=""><figcaption><p>Create User</p></figcaption></figure>

4. Complete the next steps - Credentials & Groups - to complete User profile:

{% tabs %}
{% tab title="1. Credentials" %}
{% hint style="info" %}

#### Credentials

Credentials serve as the primary mechanism for verifying user identity. Keycloak supports various credential types (passwords, OTP tokens, certificates, WebAuthn) that ensure only authorized users can access protected resources.
{% endhint %}

1. Select: Credentials tab.
2. Set password Welcome123!

<figure><img src="/files/yH7WzT2E8MozpnmsYFF9" alt=""><figcaption><p>Set password</p></figcaption></figure>

3. Ensure Temporary is Off.

<figure><img src="/files/OJoQkGr81F4nMqUYxa4V" alt=""><figcaption><p>Set user password</p></figcaption></figure>

4. Save.

<figure><img src="/files/AO5v5LkwBJgtDewyI6KY" alt=""><figcaption><p>Credentials</p></figcaption></figure>

5. Test that you can log into Data Catalog.

<figure><img src="/files/jzeFlITtlNxEHeZUaGj9" alt=""><figcaption><p>Log into Data Catalog</p></figcaption></figure>

<figure><img src="/files/DLTuuhzSIqkBSMzsKcfp" alt=""><figcaption><p>Note SJ icon in top right.</p></figcaption></figure>

{% hint style="info" %}
All new users will will be assigned the **default-roles-pdc** role with limited access.
{% endhint %}
{% endtab %}

{% tab title="2. Groups" %}
{% hint style="info" %}

#### Groups & Inheritance

in Keycloak, group membership is not automatically inherited upward through the group hierarchy. If you add a user to the deepest child group, they will only be a direct member of that specific group.

However, the user **will** inherit all the roles and attributes that are assigned to the parent groups in the hierarchy. So while they won't show up as explicit members of the main group and first child group, they will effectively have all the permissions and attributes from those parent groups.

**Group Membership:**

* User is only a direct member of the deepest child group
* User does not appear in the member lists of parent groups

**Role/Attribute Inheritance:**

* User inherits all roles assigned to the deepest child group
* User also inherits all roles assigned to the parent child group
* User also inherits all roles assigned to the main group
  {% endhint %}

Just select the child group

<table><thead><tr><th width="172">User</th><th width="217">Main Group</th><th>Child Group - Select</th></tr></thead><tbody><tr><td>sarah.johnson</td><td>Sales_Division</td><td><strong>Sales_Analysts</strong></td></tr><tr><td>michael.chen</td><td>HR_Division</td><td><strong>HR_Specialists</strong></td></tr><tr><td>elena.rodriguez</td><td>Data_Governance</td><td><strong>Data_Stewards</strong></td></tr><tr><td>david.park</td><td>Data_Governance</td><td><strong>Compliance_Officers</strong></td></tr><tr><td>james.lock</td><td>IT_Operations</td><td><strong>System_Administors</strong></td></tr></tbody></table>

1. Select: Groups tab.

<figure><img src="/files/M6TdmrOjDE7eLmPFALNA" alt=""><figcaption></figcaption></figure>

2. Click: Join Group

<figure><img src="/files/vwkaoM1GfNs8DzAZCyZs" alt=""><figcaption></figcaption></figure>

3. Click: Join

<figure><img src="/files/w8RbqDwBrfYM5Y92zl29" alt=""><figcaption></figcaption></figure>

4. Repeat for the other Users - see table above.

{% endtab %}
{% endtabs %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://academy.pentaho.com/pentaho-data-catalog-en/data-catalog/aw-organization/aw-users.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.