Identity and Access Management

As Hazy's use cases often involves confidential data, robust access control management is required to ensure only the rightful party can access specific resources.

Currently, Hazy supports Role-based access control (RBAC), allowing for fine-grained configuration of different roles for its platform users.

User management and access control is configured via Keycloak, our chosen Identity and Access Management (IAM) server running in conjuction with the hub. Keycloak can be installed in both Hazy Single container and Distributed architecture deployments. Please refer to Hazy's Keycloak installation page for more details on setup.

Identity Management

Keycloak provides several identify providers, including:

  • User federations from LDAP and Active Directory.
  • OIDC
  • SAML

These can be configured within Keycloak. Please refer to Keycloak documentaion for details on identify management setup.

Access Management

Hazy uses the OAuth2.0 to limit user's access to resources.

In the context of OIDC, there are typically 2 clients at play for a normal UI session. The UI context within the web browser acts as one OAuth client, named hazy-hub-frontend. The backend hub web server acts as the second client, named hazy-hub-backend. The OAuth mechanism is used to enable the user to provide, via login through keycloak (and possibly in turn a downstream idP such as Active Directory) a token to the Hazy frontend (SPA) web application which can be used to ensure actions that take place in the backend are authorised.

Moreover, the use of scopes are used to provide access to specific functionality within the context of Hazy. In short, scopes are privileges to resources that the Hazy platform gains on-behalf-of the user who is currently signed in. Please refer to OAuth2.0 Scopes for more details on the scope mechanism.

The Hub backend will verify incoming tokens to ensure the necessary scopes have been issued before handling the request. The required scopes for an operation in Hazy are not configrable but it is possible to adjust the mapping of roles to enabled scopes on a per user and/or client basis within keycloak.

The default hazy realm in the Hazy-provided keycloak image is pre-configured a set of recommended roles and mappings from those roles to client scopes.

The following scopes and roles are preconfigured upon a Hazy install:

Object Action Scope Role
Project Create hazy:Project:Create hazy:ProjectAuthor
Project Update hazy:Project:Update hazy:ProjectAuthor
Project Read hazy:Project:Read hazy:ProjectViewer
Project Delete hazy:Project:Delete hazy:ProjectAuthor
Project List hazy:Project:List hazy:ProjectViewer
DataSource List hazy:DataSource:List hazy:ConfigAuthor
DataSource Read hazyDataSource:Read hazy:ConfigAuthor
Config Create hazy:Config:Create hazy:ConfigAuthor
Config Update hazy:Config:Update hazy:ConfigAuthor
Config Read hazy:Config:Read hazy:ConfigViewer
Config Delete hazy:Config:Delete hazy:ConfigAuthor
Config List hazy:Config:List hazy:ConfigViewer
SampleData Read hazy:SampleData:Read hazy:SampleDataViewer
ModelMetrics Read hazy:ModelMetrics:Read hazy:MetricsViewer
QA Report Create hazy:QAReport:Create hazy:QAReportAuthor
QA Report Read hazy:QAReport:Delete hazy:QAReportViewer
Model Create hazy:Model:Create hazy:ModelAuthor
Model Update hazy:Model:Update hazy:ModelAuthor
Model Read hazy:Model:Read hazy:ModelViewer
Model Delete hazy:Model:Delete hazy:ModelAuthor
Model List hazy:Model:List hazy:ModelViewer
SourceData List hazy:SourceData:List hazy:ConfigAuthor
AnalysisJob Create hazy:AnalysisJob:Create hazy:AnalysisJobAuthor
AnalysisJob Update hazy:AnalysisJob:Update hazy:AnalysisJobAuthor
AnalysisJob Read hazy:AnalysisJob:Read hazy:AnalysisJobViewer
AnalysisJob Delete hazy:AnalysisJob:Delete hazy:AnalysisJobAuthor
AnalysisJob List hazy:AnalysisJob:List hazy:AnalysisJobViewer
TrainJob Create hazy:TrainJob:Create hazy:TrainJobAuthor
TrainJob Update hazy:TrainJob:Update hazy:TrainJobAuthor
TrainJob Read hazy:TrainJob:Read hazy:TrainJobViewer
TrainJob Delete hazy:TrainJob:Delete hazy:TrainJobAuthor
TrainJob List hazy:TrainJob:List hazy:TrainJobViewer
GenerateJob Create hazy:GenerateJob:Create hazy:GenerateJobAuthor
GenerateJob Update hazy:GenerateJob:Update hazy:GenerateJobAuthor
GenerateJob Read hazy:GenerateJob:Read hazy:GenerateJobViewer
GenerateJob Delete hazy:GenerateJob:Delete hazy:GenerateJobAuthor
GenerateJob List hazy:GenerateJob:List hazy:GenerateJobViewer
SyntheticData List hazy:SyntheticData:List hazy:SyntheticDataViewer
SyntheticData Read hazy:SyntheticData:Read hazy:SyntheticDataViewer


  • As explained above, roles are made up of a list of scopes (e.g. role hazy:AnalysisJobAuthor contains scopes [hazy:AnalysisJob:Create,hazy:AnalysisJob:Update, hazy:AnalysisJob:Delete]).
  • Whenever a user logs in, Keycloak will send two JavaScript Web Tokens (i) identity token - identifying the user and (ii) access token that lists the scopes that are defined under the user's roles. Hazy can then use these scopes on behalf of the user to access resources.
  • Scope checking for the access token is done both on the frontend and backend of the hub.
  • Hazy system admins can create additional roles, assign these to groups of users/specific users, add any of the scopes listed above through Keycloak, allowing for flexible access control management.
  • In addition to these scopes, top level hazy:DataProducer and hazy:DataConsumer roles, based other roles are available on initial install. These provide an example way to segregate viewers/authors of Generator Models:
Top Role Sub-Role
hazy:DataConsumer hazy:ProjectViewer
hazy:DataConsumer hazy:SyntheticDataViewer
hazy:DataConsumer hazy:ModelViewer
hazy:DataConsumer hazy:GenerateJobAuthor
hazy:DataConsumer hazy:GenerateJobViewer
hazy:DataProducer hazy:ProjectViewer
hazy:DataProducer hazy:ProjectAuthor
hazy:DataProducer hazy:ConfigViewer
hazy:DataProducer hazy:ConfigAuthor
hazy:DataProducer hazy:AnalysisJobViewer
hazy:DataProducer hazy:AnalysisJobAuthor
hazy:DataProducer hazy:TrainJobViewer
hazy:DataProducer hazy:TrainJobAuthor
hazy:DataProducer hazy:GenerateJobViewer
hazy:DataProducer hazy:GenerateJobAuthor
hazy:DataProducer hazy:ModelViewer
hazy:DataProducer hazy:ModelAuthor
hazy:DataProducer hazy:QAReportViewer
hazy:DataProducer hazy:QAReportAuthor
hazy:DataProducer hazy:SyntheticDataViewer


  • The hazy:DataConsumer role has access to the GeneratorModels and can create synthetic data.
  • The hazy:DataProducer role has a near full access to the Hazy platform.
  • The additional roles hazy:SampleDataViewer (that allows for sampling of real data during configuration) and hazy:MetricsViewer (that allows for viewer the model metrics which includes evaluation between real/synthetic data) are both not part of the top-role hazy:DataProducer and hazy:DataConsumer by default.

For further details on role managment and delegation to Hazy users, please refer to our Keycloak page for more details.

Identity and Access Management