Add A User

Users are created in Keycloak.

We should ideally be using Keycloak as intended, with roles and scopes etc. However, due to time limitations getting in the way of working out how to get clients to retrieve correct roles from the Keycloak api when this was first implemented, the access model we are actually using is a bit of a kludge using groups and attributes.

Add to Keycloak

In Keycloak, go to Users > Add User and fill in the details as necessary.

If you are not adding this user to Grafana, you should use a temporary password and set an Update Password action for the user to reset the password on next login. Otherwise just choose something you can remember yourself for a moment as we’ll reset it shortly.

Add to Grafana

Grafana doesn’t really play nicely with Keycloak OAuth, and really is just a vanilla SSO implementation. So it doesn’t recognise groups, roles, etc. There is therefore a small song-and-dance you have to go through to register the user:

  • Log in to Grafana as the Keycloak user with the SSO login button.

    • This registers the user with Grafana, which would otherwise have no idea that they existed.

  • Log out from this user in Grafana, and back into Grafana with an administrator account.

  • Then follow Add a User for instructions on adding users to Organisations.

If you have been using a temporary password, got back to Keycloak and set the user action to Update Password under `Users > <username> > Details > Required User Actions.

Set Permission Roles

See Roles & Permission.

Set Infra Access

See Grant User Access.