Skip to main content


Members of an organization can have role assignments that are specific to that organization. These are separate from Keycloak realm and client roles, and do not inherit from them. There are a set of default roles that control access to functionality within Phase Two, and additional roles can be added for your application purposes. Role creation, management and assigment can be done in the Organizations tab of the Admin UI.

Default roles

The default roles can be assigned to users to give them access to view and manage organization data.

view-organizationView organization details.
manage-organizationUpdate organization details. Delete the organization.
view-membersView memberships.
manage-membersAdd and remove memberships.
view-rolesView roles and assignements.
manage-rolesCreate and remove roles and assignments.
view-invitationsView outstanding invitations.
manage-invitationsCreate and remove pending invitations.
view-identity-providersView configured identity providers for SSO.
manage-identity-providersCreate, manage and remove identity providers for SSO.

Keycloak Phase Two Organizations Roles List

Custom roles

Custom roles can be created in the Roles section of each organization in the Organizations tab of the Admin UI. It is important to note that a role is created for each organization individually. If you wish to have the same role name for multiple organization, it is recommended that you create them programmatically on organization creation.

Keycloak Phase Two Organizations Roles Create

Adding roles to the token

It is possible to map organization roles into the access token, ID token or userinfo endpoint response using the Organization Role token claim mapper for OIDC. If you have users that will have a large number of organization memberships or roles per organization, it is recommended that you only add the claim to the userinfo endpoint response, as it may cause large token sizes.

API access

It is possible to create, update, delete and fetch all organization roles, as well as grant, revoke, verify and fetch all user assignments using the API.