# Toolkit Roles/Groups ## 1. User Removed from Group **Action:** On Keycloak's side, the user is removed from a defined group. **Result:** - In the toolkit, the user remains part of the group until they log out and log back in. This is because the toolkit cannot react directly to changes made in Keycloak. - A refresh of the user account session is required for changes to take effect. --- ## 2. Group Name Modified **Action:** On Keycloak's side, the admin modifies a group name, for example: _Area Coordinator → Head Area Coordinator_ **Result:** - From the toolkit's perspective, this is treated as a new group name being created. - The old group name will still function as before. - After the user restarts their session, they will see the new group name, resulting in a completely new relation. The user will also be removed from the old group. - Data from the old relation will remain associated with the old name. An administrator must update all admin settings where the old group was used. --- ## 3. Keycloak Role Mapping **Topic:** Explain how role mapping is implemented in the toolkit and the implications of modifications. **Explanation:** - Role Mapping is used to grant access to the toolkit. - When navigating to different pages, access is restricted based on specific role mappings. - Users without the required role mappings will be denied access to those pages. - Administrators must ensure that role mappings are correctly assigned to users to avoid access issues. --- ## 4. Keycloak Groups **Topic:** Describes how groups are utilized by the toolkit and the impact of modifications. **Explanation:** - Groups are the primary method for distinguishing user permissions in the toolkit. - This includes: 1. Whether the user has admin privileges. 2. In Punchlist: Whether the user is permitted to approve workflow steps. 3. In LOTO: Whether the user receives notifications as a maintenance or operations user. 4. No group requirements are set up in Clashes or Redline. --- ## 5. Required Keycloak Groups **Action:** Lists the groups required for the toolkit to function properly. **Result:** - **Maintenance and Operations:** Required by the current LOTO application (This is likely to change in February 2025). ## 6. Required Keycloak Role Mappings **Action:** Lists the role mappings required for the toolkit to function properly. **Result:** - **Admin:** Grants global permissions in the toolkit, only "Admin" can view and change license key.