[keycloak-user] shared UMA 2.0 resource & scope based policies

Hi, I am working on a keycloak setup trying to replicate the photoz example. The 'test' realm is configured as follows: * UMA enabled * has a client 'photoz' with Authorization enabled * 2 authorization scopes: album:view & album:modify * each scope has a scope-based 'only owner' permission associated (Javascript) * 2 users: alice and bob Alice creates a new album resouce with the following request: POST /auth/realms/test/authz/protection/resource_set {"name": "Amazing sunsets", "owner": "alice", "ownerManagedAccess": "true", "uri": "/albums/100", "type": "album", "resource_scopes": ["album:view", "album:modify"]} Simulating Bob accessing album "Amazing sunsets" using the authorization evaluation tab, returns permission denied for both scopes (view & modify) as expected. Now, Alice shares "Amazing sunsets" via the account management interface but limits the scope to 'view' by sharing 'album:view' only. Back to evaluating Bob's access: * Scope album:view on "Amazing sunsets" is granted (yay!). * Scope album:modify on "Amazing sunsets" also is granted ?? Why would Bob get full access if Alice only shared album:view ? The evaluation output even states that the granted album:view access was the reason why access to album:modify is granted too (see attached screenshot for details). Does anybody have a suggestion what I am missing here ? Thanks, Marek