AW Roles & Attributes

Keycloak custom Roles & Attributes ..

Keycloak Custom Roles

In this hands-on workshop, you'll learn how to create custom roles and attributes in Keycloak that establish the identity federation layer supporting PDC's data governance framework. We'll walk through designing Adventure Works - specific roles with detailed compliance attributes that create the foundation for audit trails, regulatory compliance, and business-aligned data access controls meeting GDPR, CCPA, and SOX requirements.

By the end of this workshop, you will be able to:

Create custom business-specific roles in Keycloak for enterprise data governance
Design comprehensive role attributes that support regulatory compliance requirements
Implement audit-ready role structures for GDPR, CCPA, LGPD, and SOX compliance
Configure role-based access controls that align with business functions and data domains
Establish retention policies and access levels through role attributes
Build the identity foundation that integrates with PDC's data governance capabilities
Create scalable role architectures for complex organizational compliance needs

Workshop Role Structure: You'll create and configure roles including:

aw-system-administrator with full governance oversight and permanent retention
aw-datasource-administrator with full data source access
aw-data-steward with cross-domain quality oversight and 7-year retention
aw-sales-manager with sales analytics access and customer relationship compliance
aw-hr-manager with employee data access and employment law compliance

This workshop establishes the critical "WHO" component with detailed attributes that enable PDC to make sophisticated "WHAT" decisions about data access based on compliance scope, business function, and audit requirements.

Keycloak custom role attributes are powerful metadata fields that enable sophisticated authorization logic and fine-grained access control.

Log into Keycloak:

Username: admin

Password: admin

Ensure you select the Pentaho Data Catalog Realm.

Select: Realm Roles:
Enter the following:

Role name: aw-system-administrator

Description: Adventure Works enterprise data governance with full technical compliance oversight.

Click Save.
Click on Attributes.

The attributes are not 'leveraged' in this implementation. The AW Roles are going to be 'mapped'

Add the following attributes:

aw-system-administrator

Key

Value

business_function

system_administrator

compliance_scope

techical_custodian

data_access_level

all_permissions

emergency_access

enabled

data_domains

all_adventureworks

Keycloak Role Attributes in PDC

Role attributes are metadata key-value pairs attached to Keycloak roles that enable sophisticated, policy-driven authorization beyond simple role names. Instead of just checking "does user have data-steward role?", PDC can now ask "does this data steward have authority for confidential data in North America during business hours?"

Role attributes transform static permissions into intelligent, context-aware policies. They allow PDC to enforce complex business rules like data classification levels, geographic restrictions, time-based access, approval workflows, and compliance requirements—all without hardcoding logic into the application.

Adventure Works Example

Consider Sarah Johnson, a Sales Manager at Adventure Works:

{
  "name": "adventureworks-sales-manager",
  "attributes": {
    "data_classification_access": ["public", "internal", "confidential"],
    "geographic_scope": ["north-america"],
    "department_access": ["sales", "marketing"],
    "business_hours_only": ["true"],
    "approval_authority_level": ["2"],
    "can_modify_business_terms": ["true"]
  }
}

When Sarah logs into PDC, these attributes automatically determine that she can:

Access confidential customer data (but not restricted financial projections)
View sales and marketing data sources in North America only
Curate business glossary terms for her department
Approve data access requests up to level 2
Only access the system during business hours (9-5 EST)

The JWT token carries these attributes, enabling PDC to make real-time authorization decisions: "Can Sarah access the European customer database at 10 PM?" → No (geographic scope + time restrictions). "Can she approve a contractor's request for internal sales data?" → Yes (approval authority level 2, internal classification).

This approach eliminates complex authorization code, centralizes business rules in Keycloak, enables compliance automation, and scales effortlessly as Adventure Works grows across regions and departments.

Click: Save

PDC can read these attributes from JWT tokens to make fine-grained authorization decisions. The compliance_scope attribute enables jurisdiction-specific access controls, while audit_category supports automated compliance reporting.

Repeat to create the roles and add the attributes:

AW Sales Analyst

A Sales Analyst leverages the AdventureWorks2022 database to extract, analyze, and interpret sales performance data to drive business insights and strategic decision-making. This role involves querying and analyzing data from the Sales schema, including customer transactions, order details, sales territories, and product performance metrics to identify trends, forecast revenue, and evaluate sales effectiveness.

The Sales Analyst creates reports and dashboards that track key performance indicators such as sales growth, customer acquisition, product profitability, and regional performance, while collaborating with sales leadership to translate data findings into actionable recommendations. They also conduct comparative analyses across time periods and territories, investigate anomalies in sales patterns, and support pricing and promotional strategies by analyzing historical data and market trends within the AdventureWorks catalog.

Click: Create role
Enter: Role name: aw-sales-analyst
Description: Adventure Works sales data analysis and customer insights.

Key

Value

business_function

sales_analytics

compliance_scope

gdpr_legitimate_interest,ccpa_business_purpose

data_access_level

sales_domain_only

audit_category

business_analytics

retention_policy

7_years_customer_relationship

data_domains

sales,customer,product_catalog

Quick recap: We've now created our AW Groups that map to the structure of the business units.

Created Custom Roles with Attributes, so for example - once we've completed the next activity - when Sarah joins as a Sales Analyst, we just add her to the Sales_Analysts group and she automatically gets all the necessary permissions.

No individual role management needed.

Role Attribute Suggestions:

So what's missing?

HR_Managers
Sales_Managers

You should assign appropriate roles to HR_Managers and Sales_Managers groups to complete your role structure.

aw-sales-manager (new role):

{
  "compliance_scope": ["gdpr_legitimate_interest", "ccpa_business_purpose"],
  "data_domains": ["sales", "customer", "product_catalog", "revenue_analytics"],
  "data_access_level": ["sales_management_oversight"],
  "retention_policy": ["7_years_customer_relationship"],
  "business_function": ["sales_management"],
  "audit_category": ["management_analytics"],
  "special_permissions": ["team_performance", "revenue_forecasting"]
}

aw-hr-manager (new role):

{
  "compliance_scope": ["gdpr_employment_data", "employment_law"],
  "data_domains": ["human_resources", "employee_personal_data", "performance_data"],
  "data_access_level": ["hr_management_oversight"],
  "retention_policy": ["30_years_employment_law"],
  "business_function": ["human_resources_management"],
  "audit_category": ["employee_management"],
  "special_permissions": ["performance_reviews", "compensation_management"]
}

PreviousAW Groups NextMap AW Roles to Groups

Last updated 13 days ago

Was this helpful?

AW Roles & Attributes

Keycloak Custom Roles

Adventure Works Example

AW Sales Analyst

HR Specialist

AW Compliance Officer

AW Data Steward

AW System Administrator

AW Datasource Administrator

Role Attribute Suggestions:

aw-sales-manager (new role):

aw-hr-manager (new role):