Each realm will probably need a set of roles that pertain to social permissions i.e. : email-request, contacts, etc. We need to compile a list of them... We'll then assign scope mappings to registered applications and oauth clients if social is enabled for the realm. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com