Identity data model

The identity data model shows how Users and Organizations are implemented in Keycloak and OpenShift. Please see Data model for the full abstract data model.

keycloak model.drawio
Figure 1. Data model focusing implementation with Keycloak and OpenShift

Data model in Keycloak


Each APPUiO Cloud user is represented by a user object in Keycloak.


Each APPUiO Cloud organization is represented by a group object in Keycloak.


Each team of an APPUiO Cloud organization is implemented as a group object in Keycloak. A group object set below an organization group object in the group hierarchy becomes a team.

Data model in OpenShift

APPUiO Cloud users are represented as a pair of User and Identity objects in each OpenShift cluster (APPUiO Zone). These objects are created when a user first logs in on a OpenShift cluster. The user’s Keycloak property Username is used to name the User object in each OpenShift cluster.

APPUiO Cloud organizations and their teams are represented as Group objects in each OpenShift cluster. The Groups are synchronized from Keycloak to all OpenShift clusters in regular intervals. The organization CyberIgnite with team NobleGoldfish has two Groups: CyberIgnite and CyberIgnite+NobleGoldfish. The group synchronization is implemented with the RedHat Communities of Practice group-sync-operator.

To ensure Groups and their Users can’t be overridden by external actors the separator between organisation and team + is forbidden in group names.

Organization memberships are represented in each APPUiO Zone by adding the user’s User object name to the organization’s Group object.