<div dir="ltr">In the admin console you can manage realm roles from the "Roles" link in the menu on the left hand side. Further you can manage roles for a client (service) by finding the client first, it then has a tab for roles. For clients (front-ends) there's a scope tab that let's you control what roles the client is allowed to obtain.<div><br></div><div>Once you've done that a client that receives a token will contain the roles the user and client is permitted to have. When this token is sent to the service the adapter then checks if the token contains the required roles. The service can either use realm roles (global roles) or roles specific to itself (client roles, which is enabled by setting use-resource-role-mappings to true in the keycloak.json file for the service).</div><div><br></div><div>Does that answer your questions?</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 4 January 2016 at 19:04, Giovanni Baruzzi <span dir="ltr"><<a href="mailto:giovanni.baruzzi@syntlogo.de" target="_blank">giovanni.baruzzi@syntlogo.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif"><div>Dear All,</div><div><br></div><div>In the documentation I read about the Realm and Resource Roles </div><div><br></div><div>Under "2.2.1. Permission scopes“ you can read: </div><div>"<a>The role mappings contained within the token are the intersection
between the set of user role mappings and the permission scope </a></div><div><a>of the client. So,
access tokens are tailor made for each client and contain only the information required
for by them.“</a></div><div><a><br></a></div><div><a>Further, under "8.1. General Adapter Configuration“, you read</a></div><div>"use-resource-role-mappings“ If set to true, the adapter will look inside the token for application level role mappings for the user. </div><div><a>If false, it will look at the realm level for user role mappings. This is OPTIONAL. The default value is false </a></div><div><a><br></a></div><div>I would like to understand how to use it and how to configure it, but I cannot find anything in the documentation nor in the tips of the Console.</div><div><br></div><div>Can anybody give me a pointer to more information?</div><div><br></div><div>Thank you,</div><div><br></div><div>Giovanni</div><div><br></div><div><br></div></div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>