Users & Permissions
Presswerk uses a role-based access model with granular permissions at the folder and environment level.
Automatic Creation
Section titled “Automatic Creation”Users are automatically created in the Presswerk database on first login via the identity provider (Keycloak/OIDC). First name, last name, and email are taken from the JWT token.
Pre-creating Users
Section titled “Pre-creating Users”Admins can also pre-create users (e.g. for invitations):
- Navigate to Users in the sidebar
- Click Add User
- Enter the email address
- Optionally: assign the admin role
The user must then be created in the identity provider (Keycloak) to be able to log in.
Roles are assigned in Keycloak and read from the JWT claim realm_access.roles.
| Role | Permission |
|---|---|
admin | Full access within the tenant — user/group management, environments, permissions. Bypasses all permission checks. |
platform_admin | Tenant management, cross-tenant access (SaaS edition only) |
| (none) | Regular user — access controlled by folder and environment permissions |
Groups
Section titled “Groups”Groups bundle users for shared permissions.
Creating a Group
Section titled “Creating a Group”- Navigate to Users → Groups tab
- Click New Group
- Enter a name and optionally a description
- Add members
External Mappings (automatic sync)
Section titled “External Mappings (automatic sync)”Groups can have external mappings — a list of external group names that match the identity provider.
When a JWT contains a group name that matches an external mapping, the user is automatically added to the Presswerk group.
Example: The Presswerk group “Sales” has the external mapping sales-team. When a user logs in and their JWT contains the group sales-team, they are automatically added to the “Sales” group.
This enables automatic synchronization with:
- LDAP / Active Directory groups
- Microsoft Entra ID (Azure AD) groups
- Keycloak groups
Folder Permissions
Section titled “Folder Permissions”Folder permissions control who can view and edit which resources (reports, data sets, data sources). Permissions are assigned per folder and inherited by subfolders.
Permission Levels
Section titled “Permission Levels”| Level | Read | Write | Delete | Manage Permissions |
|---|---|---|---|---|
| viewer | Yes | No | No | No |
| editor | Yes | Yes | No | No |
| owner | Yes | Yes | Yes | Yes |
Assigning Permissions
Section titled “Assigning Permissions”Permissions can be assigned to individual users or groups:
- Navigate to the desired folder
- Open the folder settings / permissions
- Add a user or group
- Select the permission level
Resolution
Section titled “Resolution”- When multiple sources apply (direct + group), the highest permission wins
- Permissions are inherited along the folder hierarchy (parent → child)
- Admins bypass all permission checks
Environment Permissions
Section titled “Environment Permissions”Environment permissions control who can deploy to which environments. They are binary — a user either has access or not (no levels like folder permissions).
Assigning Permissions
Section titled “Assigning Permissions”- Navigate to Environments
- Open an environment
- Add users or groups that should be able to deploy to this environment
Users without environment permission do not see the environment in the deploy drawer.
Putting it Together
Section titled “Putting it Together”To deploy a report to an environment, a user needs:
- Folder permission (
editororowner) on the report’s folder - Environment permission for the target environment
Admins bypass both checks.