Admin User Management - Exploring the User Management solution design | Keycloak and TIS Profile service for Managing Users

Owned by Simon Meredith (Unlicensed)
Last updated: 18 Dec 2017
5 min read


Keycloak provides the authentication services for TIS - it stores a User account (username, firstname, lastname, email address, roles, groups) and provides login and other password management services (forgotten password reset, temporary passwords for admin reset).

These User accounts secure access to the TIS Admin site for HEE Admins/Trust delegates and the TIS Trainee site for Trainees/Trainers. Keycloak groups for Admin and Trainee differentiate these user groups. Admins are further differentiated by membership of a group representing their HEE 'organisational unit' (currently Local Team)

In order for the TIS application to provide the user access to the appropriate pages/resources following login, the User account details including roles and groups are passed to the TIS Profile service as part of login. This sync will create a User account in the Profile service if one doesn't exist or update it if it does exist. It identifies a user by their Username and so relies on a static, persistent username. This sync process doesn't support updating the username (changes to username in keycloak would result in a new User account in the Profile service)

Notes:

  • We need to revisit the data model in the Profile service - we currently have HEEUser for user logins without an ID field, and TraineeProfile which creates a TISID linked to a GMC ID (includes Designated Body Code)
  • Look at the creation and maintenance of IDs - both Profile and Person have them and they auto-increment, (we link via GMC ID currently) - we need them to be globally unique and persistent across a database rebuild

Processes

Keycloak - Create Admin User

  • Admin creates account in Keycloak UI. Sets role(s), DBC(s) and group(s) - Create a temporary UserName (Firstname.Lastname.X would suffice)
  • User logs in, profile service detects it's a new account and creates a User in profile db with relevant roles (using JPARepository save)
  • Profile service once allocated a TIS ID pushes that back across to Keycloak via the Keycloak Update API call (old and new username required)

Keycloak - Update existing Admin User's details / Roles / Groups

  • User already exists in both Profile DB and Keycloak
  • Admin updates details (name, email address), amends roles, DBCs or groups for the user in Keycloak.
  • Profile DB gets updated with details, roles, DBCs and/or groups changes when the user next logs in
  • first need to sync Roles and DBCs from Profile service up to KC so current roles don't get wiped
  • Think this process would work for Trainee/Trainer Users too rather than limiting it to Admin Users - walk through and check. Would still need to support update through TIS side as won't want to delegate out KC access to local office admins.

TIS - Create new Trainee user (Single / Bulk)

  • Trainee/Trainer Person records are created in the TCS service through the UI as a single user or bulk create via Bulk People import or Bulk Recruitment import (Oriel now looks like being an enrichment of a manually created Trainee)
  • A Trainee's Group and Roles will likely be common to all Trainees (validate this - also, will a Trainee need a DBC?)
  • The act of creating a single Trainee/Trainer User account needs to tie back to the Person record - so its either invoked from within a Person record by an admin, or you choose the Person record on the create Trainee User account screen. The process creates a User in the Profile service. The TIS ID of this User record becomes the username, first name, last name and email should come from the Person record. Roles and Groups are assumed standard at this point. The details then need to be pushed into Keycloak using the Keycloak API.
  • The Trainee User record in the Profile service needs to store the 'link' to the Trainee's Person record in the TCS service - see question below.
  • We need to get the Trainee to set a password - still to establish how. This can be set programmatically, set to temporary and pushed into Keycloak using the API. Investigate password reset without initial password (see below)
  • To create multiple Trainee Users at once - probably the easiest approach is to use Bulk People import (does it support updates as well as create?) with a flag to create User (hopefully no other fields required)
  • Need to agree how we decide a Trainee User is required - will all trainees get them, from the outset, automated, or a decoupled process where we can choose which and bulk create Trainee Users? - Perhaps we allow bulk creation of Trainee User Accounts into KC, to catch up on historical Person records but automate from Person creation to User creation
  • Do we use permissions to identify which person record this user has access to, or simply store the Person ID in the User record?
  • Can Keycloak send a password reset email linking to the password reset page outside of a login - so we can use it for first time password setting without needing to create a one time temporary password for the user? Would also save us from having to build and send the email (alternatively we'll need code to auto-generate a one time password, build an first time email to send to Trainee with welcome, username (email) and temporary password) - from the Profile service

TIS - Update existing Trainee User's details

  • Admin updates Trainee/Trainer Firstname/Lastname/Email Address in the person record.
  • If the Person record has a corresponding User record this is also updated
  • If we've updated a User record the details then need to be pushed into Keycloak using the Keycloak API.
  • Don't believe a Trainee/Trainer Roles/Groups will change - but could be included in future with a UI in TIS that shows them.
  • If the update were from a bulk rather than single record (or ESR update in future) how would we trigger update push to KC if so?

Using TIS ID as the username

  • Check KC API supports setting Username - test - Simon tested, works fine
  • Check whether all Trainee's will have one Group and the same role(s)?
  • code a 'call back' from TIS to KC - on login if the username isn't the TIS ID, set it to be so in the Profile service, call the KC API to set it to the TIS ID too, decide whether to tell the User or keep them focussed on email for login
  • can KC email the initial password to users on create via UI or API? - explore on dev - looks like the 'required action' of password reset might work without needing an initial password?
  • Keycloak should issue your username on registration email - ideally a usable TIS ID

General questions

  • Should we store last successful login datetime in HEE User as part of the sync from Keycloak to TIS Profile during login - this would make it easily exportable to the NDW and reportable
  • We should maintain an audit trail of changes to email address as it can be used to reset password and take over accounts - (old email, new email, datetime, IP of user?) is this in place or how would we implement?
  • improve registration process - how do we know you own the email address on registration
  • We need to create the Trainee Role with the permission to view your own record only developed



Slack: https://hee-nhs-tis.slack.com/
Jira issues: https://hee-tis.atlassian.net/issues/?filter=14213