Setup role-based access control for APPUiO Cloud

This guide describes how to setup role-based access control (RBAC) for users registered directly in APPUiO IdP.

See Configure role-based access control for brokered users to setup RBAC for users brokered from another identity provider.
This page will be updated once we’ve implemented support for selectively granting users access to single APPUiO Zones.


  • Installed APPUiO IdP (see Install Keycloak)

  • Administrator console access to APPUiO IdP

Create customized browser login flow

This section only needs to be done once.
  1. Login to APPUiO IdP as Administrator

  2. Go to realm appuio-cloud

  3. Go to Authentication  Flows.

  4. Select flow "Browser" and click "Copy." Give the copy a descriptive name, for example "browser rbac."

  5. In row "Browser Rbac Forms" select Actions  Add Flow.

    Alias = check user roles
    Description = Check user's roles and deny access if user isn't granted access to APPUiO Cloud
    Flow Type = generic
  6. Change the new "Check User Roles" sub-flow to type CONDITIONAL.

  7. Select Actions  Add Execution on the "Check User Roles" sub-flow to add an execution in the flow

    Provider = Condition - User Role
  8. Configure the new "Condition - User Role" execution by selecting Action  Config

    Alias = check-user-role
    User role = appuio-zone-access
    Negate output = ON (1)
    1 We negate the output of the "Condition - User Role" execution to break out of the sub-flow for users who have the specified role.
  9. Add a new execution to deny access to users who didn’t break out of the sub-flow

    Provider = Deny access
  10. Mark both executions in the "Check User Roles" sub-flow as REQUIRED.