> ## Documentation Index
> Fetch the complete documentation index at: https://docs.domino.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Model Monitoring access control

This page describes how Domino administrators can grant or revoke access to Domino Model Monitor. This page includes a walkthrough of how to use the Keycloak UI and a script that you can use to grant or remove user access to Domino Model Monitor.

## Use the Keycloak UI

1. Open the admin UI at `https://<deployment-url>/auth/admin` and log in to Keycloak.

2. Navigate to the **DominoRealm** realm from the dropdown:

   <img src="https://mintcdn.com/dominodatalab-e871cec4/O7LjTllMke2wnkZN/images/5.5/dmm_access_control_ui/dmm_access_1.png?fit=max&auto=format&n=O7LjTllMke2wnkZN&q=85&s=1cdb62a553aac8283c9f41efef999970" alt="Navigate to the realm" width="978" height="802" data-path="images/5.5/dmm_access_control_ui/dmm_access_1.png" />

3. Navigate to the **Users** tab.

4. Find the desired user (you may need to click **View all users**) and click **edit**.

   <img src="https://mintcdn.com/dominodatalab-e871cec4/O7LjTllMke2wnkZN/images/5.5/dmm_access_control_ui/dmm_access_2.png?fit=max&auto=format&n=O7LjTllMke2wnkZN&q=85&s=21a3cb960ee6ceec1e33745eb5693ea0" alt="Find and edit the user" width="3052" height="1284" data-path="images/5.5/dmm_access_control_ui/dmm_access_2.png" />

5. Navigate to the **Groups** tab.

   To grant access:

   1. Click **Available Groups** > **dmm-users**.

   2. Click **Join**.

   To revoke access:

   1. Click **Group Membership** > **dmm-users**.

   2. Click **Leave**.

   <img src="https://mintcdn.com/dominodatalab-e871cec4/O7LjTllMke2wnkZN/images/5.5/dmm_access_control_ui/dmm_access_3.png?fit=max&auto=format&n=O7LjTllMke2wnkZN&q=85&s=57ac0be479290dbb0bcbb8a52cce7866" alt="Manage access for groups" width="1764" height="590" data-path="images/5.5/dmm_access_control_ui/dmm_access_3.png" />

6. Repeat for all desired users.

### Using the script

<Warning>
  If there is a high volume of users, adjust the Keycloak **AccessToken** settings in the UI so the script runs uninterrupted:

  1. Log in to Keycloak.

  2. Navigate to **Realm Settings** in the **Master** realm.

  3. Click the **Tokens** Tab.

  4. Increase the **Access Token Lifespan** to something sufficiently large.

  5. Save the changes, then follow the steps below to run the script.

  Make sure to undo the changes after the script is done running.

  <img src="https://mintcdn.com/dominodatalab-e871cec4/O7LjTllMke2wnkZN/images/5.5/dmm_access_control_ui/dmm_access_4.png?fit=max&auto=format&n=O7LjTllMke2wnkZN&q=85&s=8158b18639222b42f5afa7bacab3b81c" alt="Manage access token lifespan" width="1272" height="873" data-path="images/5.5/dmm_access_control_ui/dmm_access_4.png" />
</Warning>

1. To use the [Domino Model Monitor Access Control Script](/attachments/5.5/keycloak_dmm_access_control.sh), you must set environment variables based on your deployment:

   * Domino host URL (`DOMINO_HOST`)

   * Keycloak admin username (`KEYCLOAK_ADMIN_USERNAME`)

   * Keycloak admin password (`KEYCLOAK_ADMIN_PASSWORD`)

   * The Keycloak realm (`KEYCLOAK_REALM`) environment variable defaults to `DominoRealm` and can be overridden if needed.

   ```shell theme={null}
   #   Domino host: DOMINO_HOST
   #   Keycloak admin username: KEYCLOAK_ADMIN_USERNAME
   #   Keycloak admin password: KEYCLOAK_ADMIN_PASSWORD
   KEYCLOAK_REALM="${KEYCLOAK_REALM:-"DominoRealm"}"
   ```

   To set these environment variables, replace the placeholders and run the following commands in the terminal:

   ```shell theme={null}
   export DOMINO_HOST=https://placeholder.domino.tech
   export KEYCLOAK_ADMIN_USERNAME=placeholder_username
   export KEYCLOAK_ADMIN_PASSWORD=placeholder_password
   ```

   Make sure that the trailing "/" is not included in the `DOMINO_HOST` variable.

2. Run the script with a list of usernames and the command to execute.

   The example below shows how to format the list of usernames:

   ```shell theme={null}
   '("user_1", "user_2", "user_3", ... )'
   ```

   Ensure that the usernames are correctly spelled out. If a username is misspelled or doesn’t exist, the script silently skips that user and continues with the remaining users.

   The command can either be `GRANT` or `REMOVE` to grant or remove Model Monitor access for the specified usernames.

   For example, to grant Model Monitor access to two users (usernames `foo` and `bar`), run the following command:

   ```shell theme={null}
   ./keycloak_dmm_access_control.sh '("foo", "bar")' GRANT
   ```
