Skip to main content
Hitachi Vantara Lumada and Pentaho Documentation

Configuring RBAC (InfluxDB only)

IIoT Core Services provides Role-Based Access Control (RBAC) to secure access to resources using Keycloak.

An administrator configures access to resources, what actions users can perform, and which areas they can access, providing a fine-grained control over access management. Access control is granted per database rather than per asset.

The admin user that is set when installing IIoT Core Services can access any data by default, so when selecting the admin role for a user, that user can access all resources.

Create permissions for a role

You can create access permissions for a role in Keycloak and then assign those permissions to a user or a group.

Before you begin


  1. Log in to the Keycloak admin console as an admin user.

  2. In the left navigation pane, select Roles, then click the Add Role button on the Realm Roles tab.

  3. Enter a name for the role and click Save.

  4. In the left navigation pane, select Clients, then hiota in the Client ID column.

  5. From the Hiota page, select Authorization Resources, then click Create to create a resource.

  6. On the Add Resource page, complete the information for the new resource.


    Required format: <data store type>_<database name>

    <date store type> should be influxdb.

    Example: To give users permission to access to database abc in InfluxDB, the resource name must be influxdb_abc.

    Display nameCan be given any name.
    Other fields are optional and not important for the RBAC process.
  7. Click Save.

    The resource is added to the list of resources.
  8. From the Hiota page, select Authorizations Policies, then select Create Policy Role to create a new role-based policy.

  9. Complete the Add Role Policy page for the new policy.

    In the Realm Roles field, select the role that you created earlier.
  10. Click Save.

    The role is added to the list of roles.
  11. From the Hiota page, select Authorizations Permissions, then select Create Permission Resource-Based to create a new resource permission.

  12. Complete the Add Resource Permission page for the new policy.

    In the Resources field, select the resource that you created earlier. In the Apply Policy field, select the previously created policy.
  13. Click Save.


The created role is now associated with a permission and can be assigned to one or more users or groups.

Assign a role to a user or group

You can use Keycloak to assign a role with associated permissions to a user or group.


  1. Log in to the Keycloak admin console as an admin user.

  2. Select Users in the left-hand navigation to select a specific user or Groups to select a group.

  3. Select the Role Mappings tab.

  4. Select desired roles from the list of available roles and click Add selected for each one.


The user or group now has access to the resources associated with the selected role.

You can creae users after installing IIoT Core Services using the KeyCloak interface. These users cannot log in to the Solution Management UI by default. They must be manually assigned the admin role for the relevant solution packages, so they can also access the UI for those services from the Solution Management UI.