Keycloak Resolutions
This article goes over the resolutions for Keycloak permission issues that were implemented with OP Version 21.2.17.
Note: Any administrator user at your practice with authority to assign users permissions/security is a Keycloak Admin (has the AA_AccessSecurity_mi permission). |
Reset Role Workflow Keycloak User
Keycloak is a back-end system that OP uses for user authentication. If a user’s Keycloak Admin role gets out of sync (meaning the system still sees them as a Keycloak Admin and they don't have the AA_AccessSecurity_mi permission or they have the permission but the system doesn't recognize them as an admin), another Keycloak Admin can reset their role.
You will be able to tell that the role is out of sync if the following occurs:
- The user no longer has the AA_AccessSecurity_mi permission but can still see the Reset Role and Reset PW columns on the Credentials tab of the Keycloak Correspondent record.
- The user has been given the AA_AccessSecurity_mi permission but can't see the Reset Role and Reset PW columns on the Credentials tab of the Keycloak Correspondent record.
To reset the role, navigate to Correspondents > select Keycloak > Credentials tab, then click the Reset Role button for the out of sync user.
Reset Password Workflow for Authentication Failures
If there is an issue with authentication during background access management (Keycloak) login during OP login, OP will present an error message to the user letting them know they need to reach out to a Keycloak Admin:
To fix the error, the Keycloak Admin will need to reset the user's Keycloak password (not OP password). Navigate to Correspondents > select Keycloak > Credentials tab, then click the Reset PW button for the user.
Note: Keycloak admins have the AA_AccessSecurity_mi permission. Until the Keycloak password is fixed, the user will be able to access OP but some of the integrated products like Data Rec, Carequality, and PMX+ will not work. |