Manage Users and Roles

Keycloak provides comprehensive user lifecycle management and fine-grained role-based access control (RBAC). Users, roles, and groups are managed per Realm.

User Management

Create a User

Web Console

CLI

Log in to the Keycloak Admin Console and select the target Realm.
Click Users in the left navigation bar.
Click Create new user.
Fill in the required fields:

Field	Description
Username	Unique identifier for the user within the Realm
Email	User email address. Used for login if email login is enabled.
First Name / Last Name	Display name fields
Email Verified	If enabled, skips the email verification step
Enabled	If disabled, the user cannot log in

Click Create.
Go to the Credentials tab to set an initial password.

Use the Keycloak Admin REST API to create a user:

# Obtain an admin access token
ACCESS_TOKEN=$(curl -s -X POST \
  "https://<keycloak-host>/realms/master/protocol/openid-connect/token" \
  -d "client_id=admin-cli" \
  -d "username=<admin-user>" \
  -d "password=<admin-password>" \
  -d "grant_type=password" | jq -r '.access_token')

# Create the user
curl -s -X POST \
  "https://<keycloak-host>/admin/realms/<realm>/users" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "username": "jdoe",
    "email": "jdoe@example.com",
    "firstName": "John",
    "lastName": "Doe",
    "enabled": true,
    "emailVerified": true,
    "credentials": [{
      "type": "password",
      "value": "changeme",
      "temporary": true
    }]
  }'

Reset User Password

In the Admin Console, go to Users and select the target user.
Click the Credentials tab.
Click Reset password.
Enter a new password and toggle Temporary if you want the user to change the password on next login.
Click Save password.

Role Management

Keycloak supports two types of roles:

Role Type	Scope	Use Case
Realm Roles	Scoped to the entire Realm	Represent global application roles (for example, `admin`, `user`)
Client Roles	Scoped to a specific client	Represent application-specific permissions (for example, `orders:read`)

Create a Realm Role

In the Admin Console, go to Realm Roles.
Click Create role.
Enter a Role name and optional Description.
Click Save.

Assign Roles to Users

Go to Users and select the target user.
Click the Role mapping tab.
Click Assign role.
Select the roles to assign and click Assign.

Group Management

Groups allow you to manage role assignments for multiple users at once. Assign roles to a group, and all group members inherit those roles automatically.

Create a Group

In the Admin Console, go to Groups.
Click Create group.
Enter a Name and click Create.
In the Role Mapping tab of the group, assign the desired Realm or client roles.

Add Users to a Group

Go to Users and select the target user.
Click the Groups tab.
Click Join Group, select the group, and click Join.

Composite Roles

A Composite Role is a role that contains other roles. When a user is assigned a composite role, they inherit all roles included in it. This simplifies permission management for complex role hierarchies.

To create a composite role:

Create a Realm role.
In the role's detail view, enable Composite role.
In the Associated roles tab, add the child roles.

#Manage Users and Roles

#TOC

#User Management

#Create a User

#Reset User Password

#Role Management

#Create a Realm Role

#Assign Roles to Users

#Group Management

#Create a Group

#Add Users to a Group

#Composite Roles