About Domino
Domino Data LabKnowledge BaseData Science BlogTraining

Model Monitoring access control

This page describes how Domino administrators can grant or revoke access to Domino Model Monitor. This page includes a walkthrough of how to use the Keycloak UI and a script that you can use to grant or remove user access to Domino Model Monitor.

Use the Keycloak UI

  1. Open the admin UI at https://<deployment-url>/auth/admin and log in to Keycloak.

  2. Navigate to the DominoRealm realm from the dropdown:

    Navigate to the realm

  3. Navigate to the Users tab.

  4. Find the desired user (you may need to click View all users) and click edit.

    Find and edit the user

  5. Navigate to the Groups tab.

    To grant access:

    1. Click Available Groups > dmm-users.

    2. Click Join.

    To revoke access:

    1. Click Group Membership > dmm-users.

    2. Click Leave.

    Manage access for groups

  6. Repeat for all desired users.

Using the script

Important

If there is a high volume of users, adjust the Keycloak AccessToken settings in the UI so the script runs uninterrupted:

  1. Log in to Keycloak.

  2. Navigate to Realm Settings in the Master realm.

  3. Click the Tokens Tab.

  4. Increase the Access Token Lifespan to something sufficiently large.

  5. Save the changes, then follow the steps below to run the script.

Make sure to undo the changes after the script is done running.

Manage access token lifespan

  1. To use the Domino Model Monitor Access Control Script, you must set environment variables based on your deployment:

    • Domino host URL (DOMINO_HOST)

    • Keycloak admin username (KEYCLOAK_ADMIN_USERNAME)

    • Keycloak admin password (KEYCLOAK_ADMIN_PASSWORD)

    • The Keycloak realm (KEYCLOAK_REALM) environment variable defaults to DominoRealm and can be overridden if needed.

    #   Domino host: DOMINO_HOST
#   Keycloak admin username: KEYCLOAK_ADMIN_USERNAME
#   Keycloak admin password: KEYCLOAK_ADMIN_PASSWORD
KEYCLOAK_REALM="${KEYCLOAK_REALM:-"DominoRealm"}"

    To set these environment variables, replace the placeholders and run the following commands in the terminal:

    export DOMINO_HOST=https://placeholder.domino.tech
export KEYCLOAK_ADMIN_USERNAME=placeholder_username
export KEYCLOAK_ADMIN_PASSWORD=placeholder_password

    Make sure that the trailing "/" is not included in the DOMINO_HOST variable.

  2. Run the script with a list of usernames and the command to execute.

    The example below shows how to format the list of usernames:

    '("user_1", "user_2", "user_3", ... )'

    Ensure that the usernames are correctly spelled out. If a username is misspelled or doesn’t exist, the script silently skips that user and continues with the remaining users.

    The command can either be GRANT or REMOVE to grant or remove Model Monitor access for the specified usernames.

    For example, to grant Model Monitor access to two users (usernames foo and bar), run the following command:

    ./keycloak_dmm_access_control.sh '("foo", "bar")' GRANT