MOSTLY AI release 2.2 comes with enhanced user management capabilities. You’re now able to create groups, manage group-level access permissions, and let users share synthetic data assets with these groups.

You can add and delete users by synchronizing MOSTLY AI’s user directory to your company’s Active Directory or by creating them directly in the Keycloak Identity and Access Management service that is part of MOSTLY AI’s installation.

To set up the connection between MOSTLY AI and Active Directory, please follow the instructions in the section Connecting to Active Directory.

Read on to learn how to manage groups and users in Keycloak.

Managing groups

Groups allow you to manage a common set of access privileges for a set of users. Users can be members of zero or more groups. They inherit the access privileges assigned to each group.

The steps below explain how to create groups and update their access privileges.

  1. Access Keycloak’s user interface by typing its URL in your browser’s address bar. It’s the same as MOSTLY AI’s URL, but with the /auth path at the end of it.
    http://mostlyai.mycompany.com/auth, for example.


  2. Keycloak’s welcome page will now appear. Select Administration Console and enter the Admin credentials that were created during installation.You can also find these credentials in the docker-compose.yml file located in the /opt/mostly-generate/etc/ directory.

    The credentials are stored in the KEYCLOAK_USER and KEYCLOAK_PASSWORD fields.

      mostly-keycloak:
        image: mostlyai/mostly-keycloak:latest
        container_name: mostly-keycloak
        hostname: mostly-keycloak
        depends_on:
          - mostly-keycloak-postgres
        environment:
          - VIRTUAL_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com
          - VIRTUAL_PORT=$MOSTLY_GENERATE_PORT  #8080
          - LETSENCRYPT_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com
          - KEYCLOAK_USER=admin
          - KEYCLOAK_PASSWORD=adminpassword123456789
          - DB_VENDOR=postgres
          - DB_ADDR=mostly-keycloak-postgres #mostly-keycloak-postgres
          - DB_PORT=5432 # 5432
          - DB_DATABASE=mostly_keycloak # mostly_keycloak
          - DB_USER=mostly_keycloak # mostly_keycloak
          - DB_PASSWORD=mostly_keycloak # mostly_keycloak
          - PROXY_ADDRESS_FORWARDING=true
          - X509_CA_BUNDLE=/opt/mostly-keycloak-setup/enterprise_mostlylab.crt


  3. Once you’re in the Administration Console, click on Groups in the left side menu. Here you will see the user groups that are currently available. Click on New to create a new group or on Edit to manage the access permissions of an existing group.

    Manage groups 1


  4. If you chose`New`, a Create group page will appear where you can fill out the name of your new group. Click Save when done.

    Manage groups 2


  5. On the next page, select the Role mappings tab to see the available and assigned roles for your group. Select the roles you want to assign and click on Add selected. You can leave Keycloak once you’re done.

    Manage groups 3

    We recommend assigning the roles that start with Manage, Use, View, and Stop. These are composite roles that combine one or more granularly defined roles. You can identify these by the underscore (_) at the beginning of their name. The table below lists all the composite roles you can choose from.

    Role Description

    ManageDataConnector

    Create, update, read, and delete data connectors.

    UseDataConnector

    Use data connectors in jobs and data catalogs and see their details.

    ManageDataCatalog

    Create, update, read, and delete data catalogs.

    UseDataCatalog

    Use data catalogs to start jobs and see their details.

    ManageJobs

    Start, stop, update, and delete jobs, and download its assets.

    StopJobs

    Stop a running job, exit the training and generation steps, and delete a job.

    ViewJobs

    View the jobs list and job details, including job progress, QA report, and download their assets.

    ManageUser

    View the user list and user details, view the Active Directory connection details and update them, and syncronize Active Directory with MOSTLY AI’s user directory.

    ManageLicense

    View the license and activate it.

    UseAPI

    Use all endpoints of the public API.

    ManageAPI

    Create an API key for the public API.

    ManageGroupSharing

    Change which groups have access to a job, data catalog, or data connector.

    ManagePublicSharing

    Provide view access to a job, data catalog, or data connector to everyone.

    ManageOwnerSharing

    Change the owner of a resource.

Managing users

MOSTLY AI supports two ways in which you can manage users. You can add and delete users by synchronizing MOSTLY AI’s user directory to your company’s Active Directory. Or, you can create them directly in Keycloak.

Please keep in mind that the users added via Active Directory synchronization still need to be configured in Keycloak to function.

Read on to synchronize MOSTLY AI’s user directory to your company’s Active Directory, or skip the first two steps to create new users in Keycloak.

  1. In MOSTLY AI’s web UI, navigate to Users and click on Users sync at the top-right corner of the user list.

    location of Users sync button


  2. A modal appears that shows the synchronization status. Once completed, it will show the number of added and deleted users.

    Synchronization modal


Next, we’ll turn to Keycloak to configure the newly created users.

  1. Access Keycloak’s user interface by typing its URL in your browser’s address bar. It’s the same as MOSTLY AI’s URL, but with the /auth path at the end of it.
    http://mostlyai.mycompany.com/auth, for example.


  2. Keycloak’s welcome page will now appear. Select Administration Console and enter the Admin credentials that were created during installation.You can also find these credentials in the docker-compose.yml file located in the /opt/mostly-generate/etc/ directory.

    The credentials are stored in the KEYCLOAK_USER and KEYCLOAK_PASSWORD fields.

      mostly-keycloak:
        image: mostlyai/mostly-keycloak:latest
        container_name: mostly-keycloak
        hostname: mostly-keycloak
        depends_on:
          - mostly-keycloak-postgres
        environment:
          - VIRTUAL_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com
          - VIRTUAL_PORT=$MOSTLY_GENERATE_PORT  #8080
          - LETSENCRYPT_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com
          - KEYCLOAK_USER=admin
          - KEYCLOAK_PASSWORD=adminpassword123456789
          - DB_VENDOR=postgres
          - DB_ADDR=mostly-keycloak-postgres #mostly-keycloak-postgres
          - DB_PORT=5432 # 5432
          - DB_DATABASE=mostly_keycloak # mostly_keycloak
          - DB_USER=mostly_keycloak # mostly_keycloak
          - DB_PASSWORD=mostly_keycloak # mostly_keycloak
          - PROXY_ADDRESS_FORWARDING=true
          - X509_CA_BUNDLE=/opt/mostly-keycloak-setup/enterprise_mostlylab.crt


  3. Once you’re in Keycloak, click on Users in the left side menu and then on the Add user button on the Users page.

    Manage groups 1


  4. If you’ve clicked on Add user, a new page appears where you can fill out their Email, First Name, and Last Name. Click Save when done.

    Manage groups 1


  5. Next, the user profile page appears. Select the Credentials tab to set a password for this user account. Once you’ve entered the new password in the Password and Password confirmation fields, click Set password and confirm.

    Manage groups 1


  6. Switch to the Groups tab to assign the user to one or more groups.

    Manage groups 1


Connecting to Active Directory

Before MOSTLY AI can synchronize its user directory with Active Directory, a Super Admin first needs to set up this connection. Please take the following steps to enable user synchronization:

  1. Navigate from the main menu to Settings > Active Directory and click on View. You will see the panel shown below.

    Active Directory settings


  2. Next, fill out the fields as follows:

    Connection URL

    Specify the the domain name or IP address of the Active Directory server.

    Users DN

    Specify the subtree where the users reside using comma-separated relative distinguished names (RDNs).

    Custom user search filter

    Use a filter to select users from the full list of users in the Users DN node.

    Bind type

    Specify the authentication mechanism for connecting to the Active Directory server.

    Bind DN

    Provide a Bind DN to authenticate MOSTLY AI on the Active Directory server.

    Bind credential

    Enter the Bind credential (password) for the Bind DN.

    If you want to learn more about DNs (distinguished names) and RDNs (relative distinguished names), please visit this page on the LDAP.com website.


  3. Verify the Connection URL and Bind credential by clicking on Test connection and Test authentication, respectively.

  4. Click Save when MOSTLY AI connects and authenticates to the Active Directory server.


Advanced settings

Click on Advanced settings if the connection requires more granular configuration settings.
Please find a detailed description of the fields below this image:

Active Directory advanced settings


Username LDAP attribute

Specify the LDAP attribute that becomes the user’s username in MOSTLY AI. Examples of suitable attributes are mail, sAMAccountName, or cn.


RDN LDAP attribute

Specify the LDAP attribute used as the RDN (top attribute) of a typical user DN. Usually, it’s the same as the Username LDAP attribute.


UUID LDAP attribute

Specify the LDAP attribute used as a unique object identifier (UUID) for objects in LDAP. For Active Directory, this is objectGUID.


User Object Classes

Enter the values of the LDAP objectClass attribute for users, separated by commas. Example: person, organizationalPerson, user.


Search Scope

Select Subtree or One Level — if the node listed in Users DN contains nested nodes with users, select Subtree. Otherwise, select one level.


Enable StartTLS

Use an encrypted connection.