AW Roles & Attributes
Keycloak custom Roles & Attributes ..
Keycloak Custom Roles
In this hands-on workshop, you'll learn how to create custom roles and attributes in Keycloak that establish the identity federation layer supporting PDC's data governance framework. We'll walk through designing Adventure Works - specific roles with detailed compliance attributes that create the foundation for audit trails, regulatory compliance, and business-aligned data access controls meeting GDPR, CCPA, and SOX requirements.
By the end of this workshop, you will be able to:
Create custom business-specific roles in Keycloak for enterprise data governance
Design comprehensive role attributes that support regulatory compliance requirements
Implement audit-ready role structures for GDPR, CCPA, LGPD, and SOX compliance
Configure role-based access controls that align with business functions and data domains
Establish retention policies and access levels through role attributes
Build the identity foundation that integrates with PDC's data governance capabilities
Create scalable role architectures for complex organizational compliance needs
Workshop Role Structure: You'll create and configure roles including:
aw-system-administratorwith full governance oversight and permanent retentionaw-datasource-administratorwith full data source accessaw-data-stewardwith cross-domain quality oversight and 7-year retentionaw-sales-managerwith sales analytics access and customer relationship complianceaw-hr-managerwith employee data access and employment law compliance
This workshop establishes the critical "WHO" component with detailed attributes that enable PDC to make sophisticated "WHAT" decisions about data access based on compliance scope, business function, and audit requirements.
Log into Keycloak:
Username: admin
Password: admin
Ensure you select the Pentaho Data Catalog Realm.
Select: Realm Roles:
Enter the following:
Role name: aw-system-administrator
Description: Adventure Works enterprise data governance with full technical compliance oversight.
Click Save.
Click on Attributes.
The attributes are not 'leveraged' in this implementation. The AW Roles are going to be 'mapped'
Add the following attributes:
aw-system-administrator
business_function
system_administrator
compliance_scope
techical_custodian
data_access_level
all_permissions
emergency_access
enabled
data_domains
all_adventureworks
Click: Save
Repeat to create the roles and add the attributes:
AW Sales Analyst
A Sales Analyst leverages the AdventureWorks2022 database to extract, analyze, and interpret sales performance data to drive business insights and strategic decision-making. This role involves querying and analyzing data from the Sales schema, including customer transactions, order details, sales territories, and product performance metrics to identify trends, forecast revenue, and evaluate sales effectiveness.
The Sales Analyst creates reports and dashboards that track key performance indicators such as sales growth, customer acquisition, product profitability, and regional performance, while collaborating with sales leadership to translate data findings into actionable recommendations. They also conduct comparative analyses across time periods and territories, investigate anomalies in sales patterns, and support pricing and promotional strategies by analyzing historical data and market trends within the AdventureWorks catalog.
Click: Create role
Enter: Role name: aw-sales-analyst
Description: Adventure Works sales data analysis and customer insights.
business_function
sales_analytics
compliance_scope
gdpr_legitimate_interest,ccpa_business_purpose
data_access_level
sales_domain_only
audit_category
business_analytics
retention_policy
7_years_customer_relationship
data_domains
sales,customer,product_catalog
HR Specialist
An HR Specialist utilizes the AdventureWorks2022 database to manage and analyze employee-related data, supporting strategic workforce planning and human resources operations. This role involves working with data from the HumanResources schema, including employee demographics, organizational hierarchies, department structures, job titles, compensation records, and employment history to track workforce metrics and ensure accurate personnel recordkeeping.
The HR Specialist generates reports on headcount, turnover rates, compensation analysis, and departmental staffing levels, while maintaining data privacy and compliance with employment regulations. They collaborate with department managers to support recruitment needs, analyze workforce trends, conduct pay equity assessments, and provide data-driven insights that inform talent management strategies, succession planning, and organizational development initiatives within the AdventureWorks catalog.
Click: Create role
Enter: Role name: aw-hr-specialist
Description: Adventure Works human resources data management and analytics.
business_function
human_resources
compliance_scope
gdpr_employment_data,employment_law
data_access_level
hr_domain_only
audit_category
employee_management
retention_policy
30_years_employment_law
data_domains
human_resources,employee_personal_data
special_categories
gdpr_article_9_employment
AW Compliance Officer
A Compliance Officer ensures that data management practices within the AdventureWorks2022 database adhere to regulatory requirements, industry standards, and internal policies governing data privacy, security, and ethical use. This role involves monitoring data handling procedures across Sales, HumanResources, Production, and Purchasing schemas to ensure compliance with regulations such as GDPR, CCPA, and employment laws, while conducting regular audits to verify data integrity and proper access controls.
The Compliance Officer establishes and enforces data governance frameworks, reviews data retention and deletion policies, investigates potential compliance breaches, and maintains comprehensive audit trails for regulatory reporting purposes. They collaborate with Data Stewards, IT security teams, and legal counsel to assess compliance risks, implement corrective measures when violations occur, and provide training to employees on data handling best practices, ensuring the organization maintains regulatory compliance and protects sensitive information throughout the AdventureWorks catalog.
Click: Create role
Enter: Role name: aw-compliance-officer
Description: Adventure Works regulatory compliance monitoring and audit management.
business_function
regulatory_compliance
compliance_scope
gdpr,ccpa,lgpd,sox,pci_dss
data_access_level
audit_read_only
audit_category
compliance_oversight
retention_policy
regulatory_audit_requirements
data_domains
all_domains_audit_access
special_permissions
data_subject_rights,breach_investigation
AW Data Steward
An AdventureWorks Data Steward is responsible for ensuring the quality, integrity, and proper governance of data within the AdventureWorks2022 database catalog. This role involves defining and enforcing data standards, maintaining metadata documentation for tables such as Sales, Production, Human Resources, and Purchasing schemas, and establishing clear data definitions and business glossaries that align with organizational needs.
The Data Steward acts as a liaison between technical teams and business users, resolving data quality issues, managing access permissions, and ensuring compliance with data policies. They also oversee data lineage tracking, coordinate data remediation efforts when inconsistencies arise, and facilitate the discoverability and understanding of AdventureWorks datasets to enable effective decision-making across the organization.
Click: Create role
Enter: Role name: aw-data-steward
Description: Adventure Works cross-domain data quality and governance oversight.
business_function
data_stewardship
compliance_scope
gdpr,ccpa,data_quality
data_access_level
metadata_governance
audit_category
stewardship
retention_policy
7_years_governance
AW System Administrator
A System Administrator is responsible for the technical infrastructure, performance, and availability of the AdventureWorks2022 database environment within the data catalog ecosystem. This role involves managing database server configurations, implementing backup and disaster recovery procedures, monitoring system performance and resource utilization, and ensuring optimal query execution across all schemas including Sales, Production, HumanResources, and Purchasing.
The System Administrator handles user account provisioning, configures role-based access controls and security permissions, applies software patches and updates, and troubleshoots technical issues to maintain database uptime and reliability. They work closely with Data Stewards and developers to optimize database performance through index management and query tuning, implement data integration pipelines connecting AdventureWorks to the data catalog platform, and maintain comprehensive system documentation including architecture diagrams, configuration standards, and incident response procedures to ensure the database infrastructure remains secure, scalable, and accessible to authorized users.
Click: Create role
Enter: Role name: aw-system-administrator
Description: Adventure Works cross-domain data quality and governance oversight
business_function
system_administration
compliance_scope
techical_custodian
data_access_level
all_permissions
emergency_access
enabled
data_domains
all_adventureworks
AW Datasource Administrator
A data source administrator (DSA) is responsible for the performance, integrity, and security of an organization's data sources. Their core duties include installing and configuring data source systems, monitoring performance and optimizing queries, implementing backup and recovery strategies, managing user access and permissions, and ensuring data security through proper authentication and encryption protocols.
DSAs also plan for capacity and scalability, troubleshoot issues, apply patches and updates, and maintain documentation of database structures and procedures. In the context of systems like AdventureWorks2022, a DBA would ensure the database remains available, performs efficiently for catalog operations, and that data remains accurate and protected from unauthorized access or loss.
Click: Create role
Enter: Role name: aw-datasource-administrator
Description: Adventure Works data source administrators who are responsible for the performance, integrity, and security of an organization's data sources.
business_function
datasource_administration
compliance_scope
techical_custodian
data_access_level
admin
allowed_databases
adventureworks2022
Role Attribute Suggestions:
So what's missing?
HR_Managers
Sales_Managers
You should assign appropriate roles to HR_Managers and Sales_Managers groups to complete your role structure.
aw-sales-manager (new role):
{
"compliance_scope": ["gdpr_legitimate_interest", "ccpa_business_purpose"],
"data_domains": ["sales", "customer", "product_catalog", "revenue_analytics"],
"data_access_level": ["sales_management_oversight"],
"retention_policy": ["7_years_customer_relationship"],
"business_function": ["sales_management"],
"audit_category": ["management_analytics"],
"special_permissions": ["team_performance", "revenue_forecasting"]
}aw-hr-manager (new role):
{
"compliance_scope": ["gdpr_employment_data", "employment_law"],
"data_domains": ["human_resources", "employee_personal_data", "performance_data"],
"data_access_level": ["hr_management_oversight"],
"retention_policy": ["30_years_employment_law"],
"business_function": ["human_resources_management"],
"audit_category": ["employee_management"],
"special_permissions": ["performance_reviews", "compensation_management"]
}Last updated
Was this helpful?