This page describes how Domino administrators can grant or revoke access to Domino Model Monitor. This page includes a walkthrough of how to use the Keycloak UI and a script that you can use to grant or remove user access to Domino Model Monitor.
-
Open the admin UI at
https://<deployment-url>/auth/admin
and log in to Keycloak. -
Navigate to the DominoRealm realm from the dropdown:
-
Navigate to the Users tab.
-
Find the desired user (you may need to click View all users) and click edit.
-
Navigate to the Groups tab.
To grant access:-
Click Available Groups > dmm-users.
-
Click Join.
To revoke access:-
Click Group Membership > dmm-users.
-
Click Leave.
-
-
Repeat for all desired users.
Using the script
Important
|
If there is a high volume of users, adjust the Keycloak AccessToken settings in the UI so the script runs uninterrupted:
Make sure to undo the changes after the script is done running.
|
-
To use the Domino Model Monitor Access Control Script, you must set environment variables based on your deployment:
-
Domino host URL (
DOMINO_HOST
) -
Keycloak admin username (
KEYCLOAK_ADMIN_USERNAME
) -
Keycloak admin password (
KEYCLOAK_ADMIN_PASSWORD
) -
The Keycloak realm (
KEYCLOAK_REALM
) environment variable defaults toDominoRealm
and can be overridden if needed.
# Domino host: DOMINO_HOST # Keycloak admin username: KEYCLOAK_ADMIN_USERNAME # Keycloak admin password: KEYCLOAK_ADMIN_PASSWORD KEYCLOAK_REALM="${KEYCLOAK_REALM:-"DominoRealm"}"
To set these environment variables, replace the placeholders and run the following commands in the terminal:
export DOMINO_HOST=https://placeholder.domino.tech export KEYCLOAK_ADMIN_USERNAME=placeholder_username export KEYCLOAK_ADMIN_PASSWORD=placeholder_password
Make sure that the trailing "/" is not included in the
DOMINO_HOST
variable. -
-
Run the script with a list of usernames and the command to execute.
The example below shows how to format the list of usernames:
'("user_1", "user_2", "user_3", ... )'
Ensure that the usernames are correctly spelled out. If a username is misspelled or doesn’t exist, the script silently skips that user and continues with the remaining users.
The command can either be
GRANT
orREMOVE
to grant or remove Model Monitor access for the specified usernames.For example, to grant Model Monitor access to two users (usernames
foo
andbar
), run the following command:./keycloak_dmm_access_control.sh '("foo", "bar")' GRANT