# Map AW Roles to Groups

{% hint style="success" %}

#### Groups & Roles

In this hands-on workshop, you'll learn how to connect your custom Adventure Works roles with organizational groups and configure role mappings that enable PDC to receive complete identity information through JWT tokens. We'll walk through the critical process of assigning realm roles to groups so that your custom roles are automatically included in authentication tokens sent to PDC for data governance decisions.

By the end of this workshop, you will be able to:

* Assign custom realm roles to organizational groups in Keycloak
* Configure role mappings that ensure JWT tokens include all necessary role information
* Establish the connection between organizational structure and custom compliance roles
* Enable automatic role inheritance when users join specific groups
* Ensure PDC receives complete identity context through properly configured JWT tokens
* Create scalable role assignment workflows that support enterprise user management
* Troubleshoot role mapping issues in identity federation scenarios

**Workshop Role Assignments:** You'll configure role mappings for the complete Adventure Works hierarchy:

* System\_Administrators → `aw-system-administrator` role
* Sales\_Analysts → `aw-sales-analyst` role
* HR\_Specialists → `aw-hr-specialist` role
* Data\_Stewards → `aw-data-steward` role
* Compliance\_Officers → `aw-compliance-officer` role

This workshop completes the critical bridge between your organizational groups and custom roles, ensuring that when users authenticate, PDC receives the full context of WHO they are and WHAT roles they possess for data governance decision-making.
{% endhint %}

<figure><img src="/files/S5aQRglGvMfs2j8VP02h" alt=""><figcaption><p>Adventure Works Groups &#x26; Roles</p></figcaption></figure>

***

1. Log into Keycloak:

{% embed url="<https://pdc.pentaho.lab/keycloak/admin>" %}

Username: admin

Password: admin

{% hint style="danger" %}
Ensure you select the Pentaho Data Catalog Realm.
{% endhint %}

1. In Left Menu: Groups
2. Click: AdventureWorks\_Organization > IT\_Operations > System\_Administrators

<figure><img src="/files/pYFK29VfCNgEg4VAb8as" alt=""><figcaption><p>Group: system_administrators</p></figcaption></figure>

**Assign Realm Role to Group**

1. Click: Role mappings tab
2. Click: Assign role
3. Filter by realm roles

<figure><img src="/files/jBoPtCE7Q3OCqUonylaS" alt=""><figcaption><p>Filter by Realm Roles</p></figcaption></figure>

4. Select: aw-system-administrator

<figure><img src="/files/QQ3U2RXBR3Rp6y8hbM0r" alt=""><figcaption><p>Assign Roles</p></figcaption></figure>

5. Click: Assign
6. Again the workflow will need to be repeated to assign the custom roles to the their groups:

<table><thead><tr><th>Group</th><th width="242">Child Group</th><th>Role</th></tr></thead><tbody><tr><td>Sales_Divison</td><td>Sales_Analysts</td><td>aw-sales-analyst</td></tr><tr><td>HR_Division</td><td>HR_Specialist</td><td>aw-hr-specialist</td></tr><tr><td>Data_Governance</td><td>Data_Stewards</td><td>aw-data-steward</td></tr><tr><td>Data_Governance</td><td>Compliance_Officers</td><td>aw-compliance-officer</td></tr><tr><td>IT_Operations</td><td>System_Administrators</td><td>aw-system-administrators</td></tr><tr><td>IT_Operations</td><td>Datasource_Administrators</td><td>aw-datasource-administrators</td></tr></tbody></table>

<figure><img src="/files/Q3CNz7nGNytkNo5mE5Uy" alt=""><figcaption><p>Assign Role</p></figcaption></figure>

{% hint style="info" %}
Ok we're getting there ..&#x20;

AW Groups with their Custom Roles and Attributes are now in place. &#x20;

Next ..  map the PDC default roles to the AW Groups.
{% endhint %}

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://academy.pentaho.com/pentaho-data-catalog-en/data-catalog/aw-organization/map-aw-roles-to-groups.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.