Manage user permissions


CAST Imaging controls access with roles and profiles: you bundle roles (and, optionally, specific applications/domains) into a profile, then assign that profile to users or groups. This page explains the model; the pages below cover the tasks.

Access the settings in the UI:


text

How access works

  • A role grants permission to perform specific actions or view specific data (for example Source Code Access or Application Owner).
  • A profile bundles one or more roles, and can be scoped to all - or only specific - applications and domains.
  • A profile is assigned to a user or group. A user must have a profile (directly or via a group) before they can log in.

Where users and groups come from

Users and groups listed in the Users tab are defined via the CAST Imaging authentication system (i.e. Keycloak). Keycloak supports:

  • local users/groups defined in Keycloak (recommended only for POCs or small deployments)
  • integration with LDAP/Active Directory/SAML enterprise authentication systems

Users and groups are synced from Keycloak at 0300 every day - you can also click the Refresh button to force a synchronization and fetch the latest users/groups:

How multiple profiles combine

A user can have more than one profile — assigned directly, and/or inherited through group membership. When this happens, the most permissive permission takes priority and overrides the others. For example, an Application Owner role on an application is not reduced by a Viewer Read Only role granted through another profile on that same application.

Tasks

Reference: the predefined profiles and every role, with the permissions each grants.

Give a user or group access by assigning them a profile.

Build your own profile from roles and scope it to specific applications or domains.

A worked multi-team example that ties the concepts together.