Skip to main content

QEA Guide: Setting Up and Using Tide QEA

Goal: turn on quorum governance for a Tide realm, link your first admin, add more admins, and authorize and commit governed changes.

This is a task recipe. For what QEA (Quorum Enforced Authorization) is and why changes go through it, see the Admin Overview. For the end-to-end governance flow under the hood, see Quorum Enforced Governance.

Assumptions

  • A running TideCloak server you can reach (see Quickstart).
  • A Tide IDP-backed realm with license activated (see Manage your Tide license).
  • Access to the tide-console and the master-admin credentials.
  • Familiarity with access tokens, roles, and client scopes.

1. Provision the QEA realm

The tide-console setup wizard provisions the QEA realm in one action.

  1. Go to the root at http://localhost:8080/ and sign in with the master-admin details. You land on the Set up this realm page.
  2. In Set up this realm, enter the project name and contact email, then accept the terms.
  3. Click Set up realm.

That one action provisions everything: the realm, Tide keys, the attestor, a prefilled app, QEA turned on, the ADOPT change requests that bring existing state under attestation, your admin user with tide-realm-admin, and your link-tide enrollment.

tide-console Set up this realm form


The wizard already created your admin user and granted it tide-realm-admin. To activate it as the first QEA admin you only need to link your Tide account through the enclave.

  1. On the Link your Tide account card, click Open the link to enroll. Keep the tab open.

Link your Tide account card with Open the link to enroll button

  1. In the enclave, create your Tide account (or sign in) and set your sign-in credentials.

Tide enclave Create an account

The wizard detects when linking is done and lands you in the tide-console as the first admin.

tide-console dashboard

The primary nav is Home, Apps, People, and QEA Approvals. The Advanced toggle (bottom-left) reveals Groups, Roles, Sign-in providers, Governance, Policies, Tide, Settings, and Offboard realm.


3. Add Additional Admins

While you are the only tide-realm-admin, the approval threshold is 1. Adding more admins raises the quorum (roughly 70% of total admins), so every change then needs more than one approval.

For each new admin:

  1. Go to People and click Add a user. Enter a username (e.g. iga_admin_2) and click Add user.
  2. Hand the new user the one-time link shown on the next screen so they can enroll their Tide account through the enclave.
  3. Turn on the Advanced toggle, go to Roles, and grant them tide-realm-admin. Granting an admin role is itself a governed change, so authorize the resulting request in QEA Approvals when you are done.

People list in the tide-console


4. Accessing Change Requests

Governed writes are captured as change requests rather than applied immediately. To review them:

  1. Sign in to the tide-console (http://localhost:8080/realms/{realm}/tide-console/).
  2. From the left menu, select QEA Approvals.

QEA Approvals inbox

4.1 The inbox

Each pending request shows the target it affects (an app, a user, a role), the action type, when it was created, its authorization count, and its status. The Pending and Denied tabs let you filter. Click View to open a request and see its detail.


5. Managing Change Requests

5.1 Authorize vs Commit

Each change request supports two actions:

  • Authorize (POST .../approve) records your approval and commits automatically once approvals reach quorum. With one admin, a single Authorize applies the change straight away.
  • Commit (POST .../commit) applies a request that has already reached quorum. Below the threshold it returns 412 QUORUM_NOT_MET.

To act on a request:

  1. Under QEA Approvals, open a PENDING request and click View.
  2. Review the target and action, optionally leave a comment for other approvers, and click Authorize (or Deny).

Change request detail with Authorize and Deny

5.2 User Role Changes

  • Assign or remove roles under AdvancedRoles (or per-user from People).
  • A request appears in QEA Approvals for the affected user.
  • Authorize (and commit at quorum) to finalize.

A user's Role mapping tab (Assign realm role)

5.3 Role Management

  • Manage roles under AdvancedRoles.
  • Create or modify roles; user-impacting changes generate requests.
  • Authorize via QEA Approvals.

Realm roles list under Advanced -> Roles

5.4 Client Scope Changes

  • Modify scopes from an app under Apps.
  • Changes affecting permissions generate requests in QEA Approvals.
  • Authorize and commit to apply.

An app's App scopes tab (Default and Optional app scopes)


6. Default Roles Management

Parent roles (e.g., default-roles-myrealm) group child roles and auto-assign them to new users.

  1. Turn on Advanced, go to Rolesdefault-roles-myrealm.
  2. Add or remove child roles.
  3. Changes require the same QEA approval process.

default-roles composite (Associated child roles)


7. Action Types in Change Requests

ActionTypeTrigger
Granting Role to UserUserAssign role in Roles / People
Unassigning Role from UserUserRemove role in Roles / People
Granting Role to Composite RoleRoleAdd child role under Roles
Enabling Full ScopeClientToggle Full Scope on an app

Next steps