Administration
Users and groups

Manage users and groups

When you deploy and host MOSTLY AI for your organization, you can manage access to MOSTLY AI with the Keycloak and Access Management services.

Manage groups

With groups, you can manage a common set of access privileges for a set of users. Users can be members of zero or more groups. They inherit the access privileges assigned to each group.

Steps

  1. Access Keycloak’s user interface by typing its URL in your browser’s address bar. It’s the same as MOSTLY AI’s URL, but with the /auth path at the end of it.
    For example, https://mostlyai.mycompany.com/auth.

  2. Keycloak’s welcome page appears. Select Administration Console and enter the Admin credentials that were created during installation.

    • If you are running a Docker-based version of MOSTLY AI, you can find these credentials in the docker-compose.yml file located in the /opt/mostly-ai/etc/ directory: The credentials are stored in the KEYCLOAK_USER and KEYCLOAK_PASSWORD fields.

      mostly-keycloak:
          image: mostlyai/mostly-keycloak:latest
          container_name: mostly-keycloak
          hostname: mostly-keycloak
          depends_on:
          - mostly-keycloak-postgres
          environment:
          - VIRTUAL_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com
          - VIRTUAL_PORT=$MOSTLY_GENERATE_PORT  #8080
          - LETSENCRYPT_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com
          - KEYCLOAK_USER=admin
          - KEYCLOAK_PASSWORD=adminpassword123456789
          - DB_VENDOR=postgres
          - DB_ADDR=mostly-keycloak-postgres #mostly-keycloak-postgres
          - DB_PORT=5432 # 5432
          - DB_DATABASE=mostly_keycloak # mostly_keycloak
          - DB_USER=mostly_keycloak # mostly_keycloak
          - DB_PASSWORD=mostly_keycloak # mostly_keycloak
          - PROXY_ADDRESS_FORWARDING=true
          - X509_CA_BUNDLE=/opt/mostly-keycloak-setup/enterprise_mostlylab.crt
    • If you are running a K8s / OCP version of MOSTLY AI, you can find them (base64 encoded) in the section Keycloak.secrets:

      secrets:
      ...
      admin_password: (base64 encoded)
      admin_username: (base64 encoded)
      ...
  3. Once you’re in the Administration Console, click the drop-down menu in the top left and switch from the master to the mostly-generate realm. Then, select Groups from the menu on the left.
    You can now see the user groups that are currently available.
    Click New to create a new group or Edit to manage the access permissions of an existing group.

    Keycloak 1
  4. If you select New, a Create group page will appear where you can fill out the name of your new group. Click Save when done.

    Keycloak 2
  5. On the next page, select the Role mappings tab to see the available and assigned roles for your group. Select the roles you want to assign and click on Add selected. You can leave Keycloak once you’re done.

    Keycloak 3

    We recommend assigning the roles that start with Manage, Use, View, and Stop. These are composite roles that combine one or more granularly defined roles. You can identify these by the underscore (_) at the beginning of their name. The table below lists all the composite roles you can choose from.

    RoleDescription
    ManageDataConnectorCreate, update, read, and delete connectors.
    UseDataConnectorUse connectors for synthetic datasets and catalogs and see their details.
    ManageDataCatalogCreate, update, read, and delete catalogs.
    UseDataCatalogUse catalogs to generate synthetic datasets and see their details.
    ManageJobsStart, stop, update, and delete synthetic datasets, and download its assets.
    StopJobsStop a running synthetic dataset, exit the training and generation steps, and delete a synthetic dataset.
    ViewJobsView the synthetic datasets list and summary, including progress, QA report, and download their assets.
    ManageUserView the user list and user details, view the Active Directory connection details and update them, and syncronize Active Directory with MOSTLY AI's user directory.
    ManageLicenseView the license and activate it.
    UseAPIUse all endpoints of the public API.
    ManageAPICreate an API key for the public API.
    ManageGroupSharingChange which groups have access to a synthetic dataset, catalog, or connector.
    ManagePublicSharingProvide view access to a synthetic dataset, catalog, or connector to everyone.
    ManageOwnerSharingChange the owner of a resource.
    ReportingEnables the creation of the QA report.

If you create a group, MOSTLY AI will allow you to share Synthetic datasets, Catalogs and Connectors between the members of that group.

You can find a video here on how to create local users and define permissions for them: Creating Local Users and Setting Permissions (opens in a new tab)

Manage users

Follow the steps below to manually add users. Alternatively, you can also integrate Keycloak with your company’s Active Directory by following these steps.

Steps

  1. Access Keycloak’s user interface by typing its URL in your browser’s address bar. It’s the same as MOSTLY AI’s URL, but with the /auth path at the end of it.
    For example, https://mostlyai.mycompany.com/auth.

  2. Keycloak’s welcome page will now appear. Select Administration Console and enter the Admin credentials that were created during installation.

    • If you are running a Docker-based version of MOSTLY AI, you can find these credentials in the docker-compose.yml file located in the /opt/mostly-ai/etc/ directory: The credentials are stored in the KEYCLOAK_USER and KEYCLOAK_PASSWORD fields.
      mostly-keycloak:
          image: mostlyai/mostly-keycloak:latest
          container_name: mostly-keycloak
          hostname: mostly-keycloak
          depends_on:
          - mostly-keycloak-postgres
          environment:
          - VIRTUAL_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com
          - VIRTUAL_PORT=$MOSTLY_GENERATE_PORT  #8080
          - LETSENCRYPT_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com
          - KEYCLOAK_USER=admin
          - KEYCLOAK_PASSWORD=adminpassword123456789
          - DB_VENDOR=postgres
          - DB_ADDR=mostly-keycloak-postgres #mostly-keycloak-postgres
          - DB_PORT=5432 # 5432
          - DB_DATABASE=mostly_keycloak # mostly_keycloak
          - DB_USER=mostly_keycloak # mostly_keycloak
          - DB_PASSWORD=mostly_keycloak # mostly_keycloak
          - PROXY_ADDRESS_FORWARDING=true
          - X509_CA_BUNDLE=/opt/mostly-keycloak-setup/enterprise_mostlylab.crt
    • If you are running a K8s / OCP version of MOSTLY AI, you can find them (base64 encoded) in the section Keycloak.secrets:
      secrets:
      ...
      admin_password: (base64 encoded)
      admin_username: (base64 encoded)
      ...
  3. Once you are in Keycloak, click the drop-down menu in the top left and switch from the master to the mostly-generate realm. Then, click on Users in the left side menu and then on the Add user button on the Users page.

    Users - Keycloak 1
  4. If you’ve clicked on Add user, a new page appears where you can fill out their Email, First Name, and Last Name. Click Save when done.

    Users - Keycloak 2
  5. Next, the user profile page appears. Select the Credentials tab to set a password for this user account. Once you’ve entered the new password in the Password and Password confirmation fields, click Set password and confirm.

    Users - Keycloak 3
  6. Switch to the Groups tab to assign the user to one or more groups.

    Users - Keycloak 4

IMPORTANT: Make sure that your new users are at least in the Public group, plus any new group you create and want them to be a part of.

Integrate Keycloak with Active Directory

Take the following steps to integrate Keycloak with your company’s Active Directory:

Steps

  1. Access Keycloak’s user interface by typing its URL in your browser’s address bar. It’s the same as MOSTLY AI’s URL, but with the /auth path at the end of it.
    For example, https://mostlyai.mycompany.com/auth,

  2. Keycloak’s welcome page will now appear. Select Administration Console and enter the Admin credentials that were created during installation.

    • If you are running a Docker-based version of MOSTLY AI, you can find these credentials in the docker-compose.yml file located in the /opt/mostly-ai/etc/ directory: The credentials are stored in the KEYCLOAK_USER and KEYCLOAK_PASSWORD fields.
      mostly-keycloak:
          image: mostlyai/mostly-keycloak:latest
          container_name: mostly-keycloak
          hostname: mostly-keycloak
          depends_on:
          - mostly-keycloak-postgres
          environment:
          - VIRTUAL_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com
          - VIRTUAL_PORT=$MOSTLY_GENERATE_PORT  #8080
          - LETSENCRYPT_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com
          - KEYCLOAK_USER=admin
          - KEYCLOAK_PASSWORD=adminpassword123456789
          - DB_VENDOR=postgres
          - DB_ADDR=mostly-keycloak-postgres #mostly-keycloak-postgres
          - DB_PORT=5432 # 5432
          - DB_DATABASE=mostly_keycloak # mostly_keycloak
          - DB_USER=mostly_keycloak # mostly_keycloak
          - DB_PASSWORD=mostly_keycloak # mostly_keycloak
          - PROXY_ADDRESS_FORWARDING=true
          - X509_CA_BUNDLE=/opt/mostly-keycloak-setup/enterprise_mostlylab.crt
    • If you are running a K8s / OCP version of MOSTLY AI, you can find them (base64 encoded) in the section Keycloak.secrets:
      secrets:
      ...
      admin_password: (base64 encoded)
      admin_username: (base64 encoded)
      ...
  3. Once you’re in Keycloak, click the drop-down menu in the top left and switch from the master to the mostly-generate realm. Then, click User Federation from the menu on the left ldap from the drop-down menu to navigate further.

    Integrate with Active Directory - Keycloak 1
  4. Next, fill out the fields on the Add user federation page. You can find descriptions for each field below the screenshot.

    Integrate with Active Directory - Keycloak 2
    Username LDAP attributeSpecify the LDAP attribute that becomes the user’s username in MOSTLY AI. Examples of suitable attributes are mail, sAMAccountName, or cn.
    RDN LDAP attributeSpecify the LDAP attribute used as the RDN (top attribute) of a typical user DN. Usually, it’s the same as the Username LDAP attribute.
    UUID LDAP attributeSpecify the LDAP attribute used as a unique object identifier (UUID) for objects in LDAP. For Active Directory, this is objectGUID.
    User Object ClassesEnter the values of the LDAP objectClass attribute for users, separated by commas. Example: person, organizationalPerson, user.
    Search ScopeSelect Subtree or One Level — if the node listed in Users DN contains nested nodes with users, select Subtree. Otherwise, select one level.
    Connection URLSpecify the the domain name or IP address of the Active Directory server.
    Users DNSpecify the subtree where the users reside using comma-separated relative distinguished names (RDNs).
    Custom user search filterUse a filter to select users from the full list of users in the Users DN node.
    Bind typeSpecify the authentication mechanism for connecting to the Active Directory server.
    Bind DNProvide a Bind DN to authenticate MOSTLY AI on the Active Directory server.
    Bind credentialEnter the Bind credential (password) for the Bind DN.