The EWC IAM system is part of the European Weather Cloud (EWC), providing centralized identity and access management based on Keycloak. This system ensures that users can securely access various EWC services with a single set of credentials.
To help you understand how the system works, this section covers the fundamental concepts and components involved.
A Realm in Keycloak is like a space where user identities, roles, and permissions are managed. Realms are logical units within Keycloak that keep different applications and their user bases separate. Each realm has its own setup, including unique configurations, users, roles, and clients.
For the EWC, each tenant in the EWC has its own unique Realm created during the on-boarding process.
A User in Keycloak is anyone who needs to access the EWC services. Users have unique identities (like usernames and passwords) that they use to log in. Users are unique within a single tenancy. Users having access to multiple EWC tenancies have a dedicated account in the IAM of each tenancy.
Roles define what actions users or groups of users can perform within the EWC IAM and the connected clients (applications and services). Roles come with certain responsibilities and permissions. For example, an "Admin" role might have permissions to manage other users and configure settings.
The EWC IAM has a set of predefined roles available. Tenant admins can create additional roles if their specific use cases require them.
Clients in Keycloak represent applications and services that EWC users access using their IAM credentials. Each client has its own settings and permissions.
The EWC IAM supports two kinds of client endpoints:
TODO
TODO