Creating a user and granting access rights

1. Creating a user in the system

To create a new user (officer) in Keycloak, follow these steps:

  1. Go to the <registry-name>-officer-portal realm of the respective registry:

    • On the Users tab, click View all users.

    • Click the Add user button.

      user management 04

  2. In the opened window, enter the following user’s data:

    • Username (required) — the system name of the user in Keycloak. It does not affect user authentication.

      It can be used as an exception for logging into internal system services that require login and password authentication.

    • First Name (optional) — the user’s first name.

    • Last Name (optional) — the user’s last name.

    • User Enabled (enabled by default) — a mark indicating that the user is activated in the system (if not active, the user’s access to the system will be restricted).

    • Email Verified (optional) — activated if email confirmation is required.

    user management 33

  3. Click the Save button.

  4. Go to the Credentials tab.

  5. Enter the password in the Password field and confirm it in the Password Confirmation field. Check the Temporary box to generate a temporary password.

    For security reasons, it is necessary to change the temporary password during the first login to the system.

    user management 34

  6. Click the Set Password button.

    0

  7. Go to the Role Mappings tab and assign the necessary roles to the user. Click the Add selected button.

    Verify that the user has the mandatory officer role assigned, which provides access to the Officer Portal.

    You can also assign additional roles depending on your registry’s logic.

    user management 36

  8. The assigned roles are displayed in the Assigned Roles section.

    user management 37

  9. Go to the Attributes tab and set values for the parameter keys: drfo, edrpou, fullName, which are mandatory for authentication with the user’s Qualified Electronic Signature (see Registry user authentication). A new parameter is added after you click the Add button.

    If the attribute values do not correspond to the values specified in the Qualified Electronic Signature, the user will not be able to access the Officer portal or sign the Qualified Electronic Signature tasks.
    Attribute Description Mandatory

    drfo

    State register of individuals taxpayers. The official’s personal registration number of the taxpayer’s account card (RNOKPP). If the person did not receive such a card due to religious beliefs, it is necessary to specify the series and number of the passport or the ID card number.

    Yes

    edrpou

    The unique identification number of the legal entity in the Unified state register of enterprises and organizations of Ukraine (8 digits).

    Yes

    fullName

    Last name, first name, patronymic (if available).

    Yes

    <custom-attribute>

    Any attribute with a custom name and value (e.g., organization name, region, district, locality, etc.) if there is a future need to generate statistics based on it. It is prohibited to include special characters ([, ], {, }, \, "), as well as values exceeding 255 characters. The name of each additional attribute must be the same for all users in the registry and have a unique name among other parameters.

    E.g. location, age and so on.

    No

    user management 42

  1. Click the Save button.

The user has been successfully created.

2. Removing a role from a user

To remove roles assigned to a user, follow these steps:

  1. Select a user. To do this, choose the corresponding realm, go to the Users section, click View all users, and select the user from the list.

    user management 40

  2. Select the roles you want to remove from the list and click Remove selected.

    user management 38

  3. The removed roles will become available and will be shown in the Available Roles section.

    user management 39