Skip to main content

Console Bootstrap And Persona Journeys

This runbook explains how the first AWS dev platform owner is established and what each user persona can do after OP-067, OP-068, and OP-069 are deployed.

First Platform Owner

The first system_admin is created outside OneProtect tenant management. OP-069 APIs require system_admin, so they cannot bootstrap their own first platform owner.

For AWS dev, create the first platform owner through the Keycloak admin console or a future Secret-backed bootstrap job:

  1. Sign in to the Keycloak admin console with the Kubernetes Secret-backed Keycloak admin credentials.
  2. Switch to the oneprotect-dev realm.
  3. Create or update the platform-owner user.
  4. Set email, first name, and last name; mark email verified.
  5. Set a temporary password and require password reset on first login.
  6. Clear any accidental profile-update/VERIFY_PROFILE required action after the profile fields are complete.
  7. Add user attributes:
    • tenant_id: platform-admin
    • oneprotect_role: system_admin
  8. Assign the system_admin realm role if the realm uses role assignments for operator visibility. The OneProtect API relies on the mapped oneprotect_role attribute for the role claim.
  9. Confirm the access token contains tenant_id = platform-admin, role = system_admin, and an actor claim.

platform-admin is an actor-context marker, not a customer tenant. Do not commit the first platform-owner password, Keycloak admin password, or bootstrap script secrets to the repo.

For tenant users created through OP-069/OP-071, Keycloak bootstrap is mandatory for tenant_admin, operator, and auditor. The API requires email and a strong temporary password, writes email, first name, last name, tenant_id, oneprotect_role, and oneprotect_user_id, re-fetches Keycloak to verify those values, and commits the OneProtect tenant role only after verification passes.

Tenant Bootstrap Journey

After the first system_admin can log in:

  1. The platform owner signs in through Keycloak.
  2. The frontend calls /api/v1/session and receives role = system_admin.
  3. The Settings page renders the super-admin tenant onboarding panel.
  4. The platform owner creates a tenant.
  5. The platform owner creates a bootstrap tenant user as tenant_admin, operator, or auditor.
  6. The API creates or updates the matching Keycloak user, verifies tenant_id, oneprotect_role, email, enabled state, and password credential, then commits the OneProtect role assignment.
  7. If the UI reports a 422 identity-provider failure, fix the remediation item before retrying; no SQL tenant-user role was committed.
  8. The tenant user signs in and receives a tenant-scoped session.

OP-069 does not create additional system_admin users. Additional platform owners remain an operator-controlled Keycloak bootstrap concern.

Persona Journeys

PersonaSourceCore Phase 1 journey
system_adminKeycloak bootstrap onlyCreate tenants, bootstrap tenant users, inspect platform setup paths, and hand off to tenant admins.
tenant_adminOP-069 tenant bootstrap or SCIMConfigure enrollment tokens, discovery policies, SCIM mappings, Intune posture, compliance policies, auditor sessions, exports, and tenant users through supported APIs.
operatorOP-069 tenant bootstrap or SCIMTriage alerts, create/update tickets, investigate assets, search SIEM logs, and run approved operator workflows.
auditorOP-069 tenant bootstrap or SCIMUse read-only, time-boxed, redacted evidence/export views with no mutation controls.

Frontend role-aware rendering is not an authorization substitute. Backend APIs remain authoritative for role checks, tenant isolation, audit, and redaction.

Validation

Validate in order:

  1. Log in as the first system_admin.
  2. Confirm /api/v1/session returns role = system_admin.
  3. Create a pilot tenant from Settings.
  4. Create a tenant_admin user for that tenant.
  5. Confirm the bootstrap response includes successful Keycloak verification.
  6. Log out, use Switch user or an incognito/private window, and log in as the tenant admin.
  7. Confirm tenant-scoped admin panels appear and the super-admin panel is hidden.
  8. Create operator and auditor users.
  9. Confirm operator mutation controls appear only for operator/admin roles.
  10. Confirm auditor sees read-only/redacted views and no mutation controls.
  11. Check audit records for tenant creation, user bootstrap, and denied access attempts.