IWeb Administrator Guide

Keycloak Roles

Keycloak roles allow users to access multiple STC applications with one login via Single Sign-On (SSO). (See STC Application Interoperability.) Users are granted access to each application individually via access roles in the IWeb application (or ImMTrax for WIR implementations) user management area.

There are two types of roles used in Keycloak:

Application Access Roles - These roles allow access to each of the applications. An access role must be assigned to a user before they can access that application through the SSO login page/dashboard. These roles do not control application behavior at all.
User Type Roles - These roles assign access levels to users. For example, State Level Permissions and Provider Interface Profile Form are two user type roles that control how the STC | iQ application behaves for the user.

To assign one or more Keycloak roles to a user, see User Management Settings in the IWeb User Guide.

All users should be given the Access IWeb Keycloak application access role in order to use the password reset link on the login page. (Users must also have a valid email address in order to use this feature.)

The following are the currently available Keycloak application access roles:

Application Access Role	Description
Access AFIX	Application access role required to access the STC \| SMaRT AFIX application.
Access iQ	Application access role required to access the STC \| iQ application.
Access IWeb	Application access role required to access the IWeb application.
Access LMS	Application access role required to access the STC \| U Learning Management System.
Access PHC-Hub	Application access role required to access the PHC Hub application.
Access VOMS	Application access role required to access the VOMS application.

The following are example user type roles that may be available for some of the applications. These may be dependent on individual applications and may be subject to change.

Example User Type Role	Description
State Level Permissions	Might be used by STC\|iQ and VOMS State users. Also might be used by STC \| SMaRT AFIX users to access the application, run reports for all providers, access the AFIX Online Tool, and run Master Rate comparisons.
Organization Provider Content (Data) Security	Might be used by STC\|iQ Organization users.
Provider Level Permissions	Might be used by STC\|iQ or VOMS Facility users.
Provider Interface Profile Form	Might be used by STC\|iQ Organization or Facility users who only need access to their interface form in the application as part of onboarding.
Provider Level Permissions	Might be used by SMaRT AFIX users to access the application and run reports for their assigned provider (organization/facility).
Access Manage Users Page	Might be used by SMaRT AFIX users to access the Manage Users page.

The table below displays access levels and the required and optional Keycloak roles to access the various applications. Note that the Keycloak roles should match user permissions when applicable. If IWeb and Keycloak permissions and roles do not match, the user may see a blank screen or not be able to access organizations or facilities.

Access Level	Required Keycloak Roles	Optional Keycloak Roles to Access Applications
Facility Client	Provider Level Permissions Access IWeb	Access AFIX (for SMaRT AFIX) Access iQ Access PHC Hub Access VOMS Provider Interface Profile Form
Organization Client	Organization Provider Content (data) Security Access IWeb	Access AFIX (for SMaRT AFIX) Access iQ Access PHC Hub Access VOMS Provider Interface Profile Form
Registry Client	State Level Permissions Access IWeb	Access AFIX (for SMaRT AFIX) Access iQ Access PHC Hub Access VOMS Provider Interface Profile Form

If you have any questions about your access level, permissions, or Keycloak roles, contact your state's system administrator.