MOSTLY AI updates its user directory by synchronizing it with your company’s Active Directory. Admins can view the user directory by clicking on Users in the main menu and edit user details. Super Admins can synchronize the user directory, thereby adding and deleting users.

To set up the connection between MOSTLY AI and Active Directory, please follow the instructions in section 4. Connecting to Active Directory.

1. User roles

User roles define permissions for users to access features and information within the application. MOSTLY AI has three predefined user roles: User, Admin, and Super Admin.

Users can only generate synthetic data and view, delete or generate more data from their runs. They can receive permissions to view and generate more data from other users' runs.

Admins can manage users and the contents of the Data Catalog and receive permissions to view the dashboard and configure the advanced settings.

Super Admins can synchronize your company’s Active Directory with MOSTLY AI’s user database and create API tokens.

Please find a detailed overview of the roles and permissions in the table below:

User Admin Super Admin

Access their own runs and generate more data from them

yes

no

yes

Create and delete your own runs

yes

no

yes

Access all runs and generate more data from them

delegated

yes

yes

Delete other users' runs

delegated

yes

yes

Access the User details

no

yes

yes

Create, edit, and delete users

no

yes

yes

Access the Data Catalog

no

yes

yes

Add and remove datasets from the Data Catalog

no

yes

yes

Access the Dashboard

no

delegated

yes

Configure the advanced settings

no

delegated

yes

Synchronize MOSTLY AI’s user directory with your company’s Active Directory

no

no

yes

Create API tokens

no

no

yes

2. Creating new users

Super Admins can create and manage users using your company’s Active Directory. Once a new user is configured there, take the following steps to synchronize MOSTLY AI’s user database to Active Directory:

  1. Navigate to Users and click on Users sync at the top-right corner of the user list.

    location of Users sync button


  2. A modal appears that shows the synchronization status. Once completed, it will show the number of added and deleted users.

    Synchronization modal


2.1 Creating new users via Keycloak

You can also add users via Keycloak — an Identity and Access Management service that is part of MOSTLY AI’s installation.

  1. You can access Keycloak’s user interface by typing its URL in your web browser. It’s the same as MOSTLY AI’s URL, but with the login subdomain in front of the domain name.
    https://login.mostly.mycompany.com, for example.


  2. Keycloak’s login screen will now appear. Here you can enter the Admin credentials that were created during installation. You can also find these credentials in the docker-compose.yml file located in the /opt/mostly-generate/etc/ directory.

    The credentials are stored in the KEYCLOAK_USER and KEYCLOAK_PASSWORD fields.

      mostly-keycloak:
        image: mostlyai/mostly-keycloak:latest
        container_name: mostly-keycloak
        hostname: mostly-keycloak
        depends_on:
          - mostly-keycloak-postgres
        environment:
          - VIRTUAL_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com
          - VIRTUAL_PORT=$MOSTLY_GENERATE_PORT  #8080
          - LETSENCRYPT_HOST=login.$MOSTLY_GENERATE_DOMAIN #login.mostly.mycompany.com
          - KEYCLOAK_USER=admin
          - KEYCLOAK_PASSWORD=adminpassword123456789
          - DB_VENDOR=postgres
          - DB_ADDR=mostly-keycloak-postgres #mostly-keycloak-postgres
          - DB_PORT=5432 # 5432
          - DB_DATABASE=mostly_keycloak # mostly_keycloak
          - DB_USER=mostly_keycloak # mostly_keycloak
          - DB_PASSWORD=mostly_keycloak # mostly_keycloak
          - PROXY_ADDRESS_FORWARDING=true
          - X509_CA_BUNDLE=/opt/mostly-keycloak-setup/enterprise_mostlylab.crt


  3. Once you’re in Keycloak, click on Users in the left side menu and then on the Add user button on the Users page.

    Keycloak 1


  4. Next, fill out the Email, First Name, and Last Name fields and click Save.

    Keycloak 2


  5. Switch to the Credentials tab to set a password for this user account. Once you’ve entered the new password in the Password and Password confirmation fields, click Set password and confirm.

    Keycloak 3


2.2 Creating and managing Super Admins

To create and manage Super Admin accounts, you’ll need to have access to MOSTLY AI’s installation directory. Here, you can add a username and initial password to the realm.yml file, located in the /opt/mostly-generate/etc/ directory.

Below you can see an example configuration. Under the super-admin-users key, just add another list item with a username and password.

super-admin-users:
  - username: existing-super-admin@mycompany.com
    password: sudo1234
  - username: additional-super-admin@mycompany.com
    password: sudo1234


MOSTLY AI must be restarted for the changes to take effect.

The new Super Admin account will initialize after the user changes their password during the first login.

3. Editing user properties

Admins and Super Admins can access the user directory and edit user properties. To edit a user’s details, click on Users in the main menu, and click on the user you want to edit. You will see the panel shown in the image below.

User role settings

Here you can edit their first name, last name, email address, user role, and certain admin and super admin permissions that you can delegate to them. Please see the table in section 1. User roles for further details on what you can delegate for each user role.

Click on Save changes once you’re done.

4. Connecting to Active Directory

Before MOSTLY AI can synchronize its user directory with Active Directory, a Super Admin first needs to set up this connection. Please take the following steps to enable user synchronization:

  1. Navigate from the main menu to Settings > Active Directory and click on View. You will see the panel shown below.

    Active Directory settings


  2. Next, fill out the fields as follows:

    Connection URL

    Specify the the domain name or IP address of the Active Directory server.

    Users DN

    Specify the subtree where the users reside using comma-separated relative distinguished names (RDNs).

    Custom user search filter

    Use a filter to select users from the full list of users in the Users DN node.

    Bind type

    Specify the authentication mechanism for connecting to the Active Directory server.

    Bind DN

    Provide a Bind DN to authenticate MOSTLY AI on the Active Directory server.

    Bind credential

    Enter the Bind credential (password) for the Bind DN.

    If you want to learn more about DNs (distinguished names) and RDNs (relative distinguished names), please visit this page on the LDAP.com website.


  3. Verify the Connection URL and Bind credential by clicking on Test connection and Test authentication, respectively.

  4. Click Save when MOSTLY AI connects and authenticates to the Active Directory server.


4.1 Advanced settings

Click on Advanced settings if the connection requires more granular configuration settings.
Please find a detailed description of the fields below this image:

Active Directory advanced settings


Username LDAP attribute

Specify the LDAP attribute that becomes the user’s username in MOSTLY AI. Examples of suitable attributes are mail, sAMAccountName, or cn.


RDN LDAP attribute

Specify the LDAP attribute used as the RDN (top attribute) of a typical user DN. Usually, it’s the same as the Username LDAP attribute.


UUID LDAP attribute

Specify the LDAP attribute used as a unique object identifier (UUID) for objects in LDAP. For Active Directory, this is objectGUID.


User Object Classes

Enter the values of the LDAP objectClass attribute for users, separated by commas. Example: person, organizationalPerson, user.


Search Scope

Select Subtree or One Level — if the node listed in Users DN contains nested nodes with users, select Subtree. Otherwise, select one level.


Enable StartTLS

Use an encrypted connection.