Creating a user and granting access rights

🌐 This document is available in both English and Ukrainian. Use the language toggle in the top right corner to switch between versions.

1. Creating a user in the system

To create a new user (officer) in Keycloak, follow these steps:

  1. Go to the <registry-name>-officer-portal realm of the respective registry:

    • On the Users tab, click View all users.

    • Click the Add user button.

      user management 04

  2. In the opened window, enter the following user’s data:

    • Username (required) — the system name of the user in Keycloak. It does not affect user authentication.

      It can be used as an exception for logging into internal system services that require login and password authentication.

    • First Name (optional) — the user’s first name.

    • Last Name (optional) — the user’s last name.

    • User Enabled (enabled by default) — a mark indicating that the user is activated in the system (if not active, the user’s access to the system will be restricted).

    • Email Verified (optional) — activated if email confirmation is required.

    user management 33

  3. Click the Save button.

  4. Go to the Credentials tab.

  5. Enter the password in the Password field and confirm it in the Password Confirmation field. Check the Temporary box to generate a temporary password.

    For security reasons, it is necessary to change the temporary password during the first login to the system.

    user management 34

  6. Click the Set Password button.

    0

  7. Go to the Role Mappings tab and assign the necessary roles to the user. Click the Add selected button.

    Verify that the user has the mandatory officer role assigned, which provides access to the Officer Portal.

    You can also assign additional roles depending on your registry’s logic.

    user management 36

  8. The assigned roles are displayed in the Assigned Roles section.

    user management 37

  9. Go to the Attributes tab and set values for the parameter keys: drfo, edrpou, fullName, which are mandatory for authentication with the user’s Qualified Electronic Signature (see Registry user authentication). A new parameter is added after you click the Add button.

    If the attribute values do not correspond to the values specified in the Qualified Electronic Signature, the user will not be able to access the Officer portal or sign the Qualified Electronic Signature tasks.

drfo — особистий реєстраційний номер облікової картки платника податків (РНОКПП) посадової особи. Якщо через релігійні переконання особа не отримувала РНОКПП, необхідно вказати серію та номер паспорта або номер ID-картки.

+

Attribute Description Mandatory

drfo

State register of individuals taxpayers. The official’s personal registration number of the taxpayer’s account card (RNOKPP). If the person did not receive such a card due to religious beliefs, it is necessary to specify the series and number of the passport or the ID card number.

Yes

edrpou

The unique identification number of the legal entity in the Unified state register of enterprises and organizations of Ukraine (8 digits).

Yes

fullName

Last name, first name, patronymic (if available).

Yes

<custom-attribute>

Any attribute with a custom name and value (e.g., organization name, region, district, locality, etc.) if there is a future need to generate statistics based on it. It is prohibited to include special characters ([, ], {, }, \, "), as well as values exceeding 255 characters. The name of each additional attribute must be the same for all users in the registry and have a unique name among other parameters.

E.g. location, age and so on.

No

+ user management 42

  1. Click the Save button.

The user has been successfully created.

2. Removing a role from a user

To remove roles assigned to a user, follow these steps:

  1. Select a user. To do this, choose the corresponding realm, go to the Users section, click View all users, and select the user from the list.

    user management 40

  2. Select the roles you want to remove from the list and click Remove selected.

    user management 38

  3. The removed roles will become available and will be shown in the Available Roles section.

    user management 39

    • KATOTTG or Codifier of administrative-territorial units and territories of territorial communities (to be filled in for registries using the territorial role model) - a list of codes from the Codifier of administrative-territorial units and territories of territorial communities. After determining the code, the abbreviated value of the code should be recorded in Keycloak. The user of the Officer portal will have access to records of the specific region/district/territorial community, etc., whose code is indicated.

      To view the decryption of the code KATOTTG, please follow the link.

      Find the most up-to-date file Codifier. For convenience, use additional filtering by the Object Category column of the file, which contains the following values:

      Level

      Value

      First level

      O - Autonomous Republic of Crimea, regions

      K - cities with special status

      Secod level

      P - districts in regions and the Autonomous Republic of Crimea

      Third level

      H - territories of territorial communities (names of territorial communities) in regions, territorial communities of the Autonomous Republic of Crimea

      Fourth level

      M - cities

      T - urban-type settlements

      C - villages

      X - settlements

      Additional level

      B - districts in cities
      Example 1:

      To provide user with access to the Officer portal at the level of the Myrhorod territorial community (Third level) in Poltava region, do the following:

      • select the value H in the Object category column.

      • enter the name of the territorial community Myrhorodska in the Object name column as a search query.

      • copy the code value of the territorial unit (UA53060230000098362) from the "Third level" column.

      • according to the decryption below, determine which blocks are the last non-zero ones, delete all zero blocks along with the system number, and enter only this value into Keycloak. In Example 1, you need to enter UA5306023 into Keycloak (blocks up to the level of territorial communities are non-zero).

      user management 41

      Example 2:

      To provide user with access to the Officer portal at the level of Shevchenkivskyi district in Poltava city (Additional level), do the following:

      • first, select the value O in the Object category column.

      • enter the name of the region Poltavska in the Object name column for search.

      • copy the code value of the region UA53000000000028050 from the First level column.

      • use the filter to leave only the values in the First level column that contain the value UA53000000000028050.

      • select the value B in the "Object Category" column.

      • enter the name of the district Shevchenkivskyi in the Object name column as a search query.

      • copy the code value of the territorial unit (UA53080370010339303) from the Additional level column.

      • according to Example 1, determine which blocks are the last non-zero ones, delete all zero blocks along with the system number, and enter only this value into Keycloak. In Example 2, you need to enter UA530803700103 into Keycloak (blocks up to the level of districts in cities are non-zero).

      If a user has access to multiple territorial units, their codes are entered into Keycloak with a separator ##. The maximum number of values for one user is 16.

      If you are granting a user access to records of the entire Ukraine, within the KATOTTG field only two characters should be specified: UA

      For more information on the territory-based hierarchical role model, see Hierarchical model