Users and Roles in Aerobase/Keycloak and Nintex Kryon Admin Tool Tool

Users type overview

Nintex Kryon RPA solution and components feature two types of users; Nintex Kryon RPA Admin user, and Kryon client application user.

Admin user:

A user that can access the Nintex Kryonmanagement component; Nintex Kryon Admin Tool Tool.
Admin user can create client application users if it has the appropriate roles.
Admin users can be initially created and managed in Aerobase/Keycloack.
Once an Admin user is created with the appropriate access role in Aerobase, the same user can create and manage more Admin users directly through the Nintex Kryon Admin Tool Tool.

Client application user:

A user with different types of access as assigned by the Admin user.
With the appropriate roles, the client application user can access the Nintex Kryon RPA client applications; Nintex Kryon Console Plus, Studio, an Attended/Unattended Robots.

Creating and managing Admin users

To access and use the Nintex Kryon Admin Tool Tool, you need to create a user on Keycloak Admin Console and assign the user the appropriate roles as described in the table below.

Step 1: Open Keycloak Admin Console / Aerobase by logging in using the Authadmin user credentials as provided in the documentation.

URL format to access the management tool: FQDN/auth/admin/Kryon/console/

EXAMPLE:

Note: The Authadmin user provides access and user management permission on Keycloak Admin Console only. This user has one assigned role to it, the auth-admin-access role. Make sure not to modify the roles of this user unless you are instructed to by Nintex Kryon Support.

Step 2: Go to Manage > Users > Create User and create a user.

Step 3: Click the Role Mappings tab to assign roles to the user as following:

Assign the admin-access role (Realm Roles) + Nintex Kryon-admin-tool (Client Roles).
Assign one or more of the following Realm roles considering the type of access and permissions each role allows:

Role	Allowed access and permission type
admin-catalog	Wizard Catalog (view+manage) Sensor Catalog (view+manage) Applications (view+manage) License (activation only) Companies and Users (view only)
admin-permissions	Wizard Catalog (view+manage) Sensor Catalog (view+manage) Applications (view+manage) License (activation only) Companies and Users (view+manage) Client application users (view+manage)
admin-license	Wizard Catalog (view+manage) Sensor Catalog (view+manage) Applications (view+manage) License tab (activation only) Companies and Users (view+manage) Client application users (view+manage) Admin users (view+manage)*

In Orange: The common access and permissions between the three (3) roles.
In Green: The common access and permissions between the admin-permissions and the admin-license roles.
Any other roles are not relevant and can be disregarded.

*A user with admin-license role can create and manage other Admin users and Nintex Kryonclient application users directly through theNintex Kryon Admin Tool tool.

Nintex Kryon RPA Admin users are managed under Tools in the Nintex Kryon Admin Tool Tool. The roles available are equivalent to the roles in Keycloak/Aerobase as described above (Step 3 > Role Mapping > b.).

Admin users created by the Nintex Kryon Admin Tool Tool can be viewed and managed through Aerobase (Keycloak Admin Console) and through the Nintex Kryon Admin Tool tool.
Admin users created by Aerobase are managed and viewed only on Aerobase (Keycloak Admin Console).

Importing users

To make it easy to create a large number of users at one time, Nintex Kryon Admin Tool allows you to import them from a CSV file. Doing so is a 3-stage process:

Download the Import Users file template.
Fill in the template with user information.
Import the file.

Nintex Kryonapplication users vs. Admin users

Nintex Kryonclient application users are managed under the Users tab (Nintex Kryon Admin Tool Tool > General > Users). Only Admin users with the assigned roles of either admin-permissions or admin-license can manage (create new users and edit existing users) Nintex Kryon client applications users.

Creating a new user

In the Menu Pane, click Companies and Users.
In the Entities Pane, select the company for which you are creating a user.
In the Properties Pane, select the Users tab.
Click New User.
Enter the required information in the New User dialog then click Save.

Enter a username, full name, and email address.
Select whether the new user is active.
Generally, the default value of Active is applicable to new users. However, the user status can be changed at any time.
Assign the user to one or more roles.
Enter and confirm new password:
- Password-related fields are not applicable to Domain authentication and will not be visible when this authentication method is used.
- Passwords require a minimum of 8 characters and must include at least 2 of the following: uppercase letters, lowercase letters, numbers, and symbols.
- To create a random-generated password, click Generate Password.
- To copy the password to the Windows clipboard, click the icon.
Select whether the user is required to change the password the next time he/she logs in.
This is often appropriate for human users, but not for unattended robots.

Nintex Kryon client application user roles

Client application roles can be managed directly through the Kryon Admin Tool (recommended). You can also manage the same exact roles through Aerobase/Keycloak. The table below maps out the roles as they appear in the Nintex Kryon Admin Tool Tool and their equivalent roles in Aerobase/Keycloak.

Role in Nintex Kryon Admin Tool Tool	Role in Aerobase/Keycloak	Description
Attended Robot	attended-robot	A human-end-user who runs automations on the desktop via the Nintex Kryon assistant client
Unattended Robot	unattended-robot	A virtual user that runs automations without human intervention via the Nintex Kryon Robot Client (generally initiated on a virtual machine)
Studio Developer	studio-developer	An automation developer who records/creates/edits automations in Nintex Kryon Studio
Console View Only	console-view-only	A permission to view the available information in the Nintex Kryon RPA Console Plus
Console Manager	console-user	An RPA administrator who schedules and manages unattended Robot tasks using Nintex Kryon Console Plus. This could also be a user created to schedule and manage tasks via API calls. Assign this type of user the Console Plus User role, then tick the Supported API calls check-box that appears underneath (Supported API calls).
Supported API calls	supports-api-calls	This role allows the user to schedule and manage tasks via API calls. This role become available only when the `Console Manager` role is selected.

Any other roles are not relevant and can be disregarded.

Download the Import Users file template

To download the Import Users file template:

Go to Companies and Users and select the Users tab.
Click the button.
In the dialog box, click the link to Download the Import Users template and select a download location.

Import the file

To import the completed Import Users file:

Go to Companies and Users and select the General tab.
Click the button.
In the dialog box, click the Browse button and navigate to the Import Users CSV file you created.
Tick the checkbox if users are required to change their passwords the next time they log in.

This is often appropriate for human users, but not for unattended robots

Click the Import button.

The users listed in the file are created.