[keycloak-user] Service account token mappers?

I want to use a service account token to call the admin API (for it's realm) and have discovered that the token needs the "resource_access" claim (with appropriate "realm-management" roles). I don't want user tokens generated through the client to have the claim (unless absolutely necessary). How can I get mappers to only apply to the service account token? Or find the mappers used for the service account tokens? If I add the client roles mapper to the client I still don't get the "resource_access" claim in the service account token. (Keycloak 4.8.2) Cheers, Gary