Hi, Your understanding is correct. However, that message is not clear enough about what it really represents. There were some improvements to Evaluation Tool UI, including an option to look the resulting authorization token. I'm also going to change that message and make it more clear in case you get a DENY or in case the server could not find policies that match the resources/scopes you are evaluating. Regards. Pedro Igor ----- Original Message ----- From: "Ushanas Shastri" <ushanas.shastri(a)viteos.com&gt; To: keycloak-user(a)lists.jboss.org Sent: Saturday, July 30, 2016 3:52:01 AM Subject: [keycloak-user] Unable to understand authorization/get it to work Hello, This is my first post on this mailing list, and I've been evaluating Keycloak for a couple of days. I've been unable to get Authorization to work the way I thought it should. Maybe I've not understood it right, and could do with some help. I am using the builtin Evaluation tool to check. Here's my scenario: I have a web based application, where we have typical CRUD operations being performed. For e.g. the application maintains a list of Source from which we expect to receive data. Users have the ability to add, edit, view or delete a Source, provided the Sources belong to their Business Unit. Here's what I did in Keycloak. - Created Source as a resource, with the 4 actions as scopes (add, edit, view and delete). - Added a Role based Policy to a role called "ViewOnly" - The ViewOnly role is mapped to users. - Created a Scope based permission, where View is the only scope on the resource, attached to the ViewOnly policy. Now, when I use the evaluation tool for scope "View", I get a permit, which is as expected. I then check the evaluation tool for scope "Delete", I get a a message " Could not obtain any result for the given authorization request. Check if the provided resource(s) or scope(s) are associated with any policy." Is this as expected? Isn't this supposed to return a Deny since the Policy Enforcement Mode on the realm is "Enforcing". Is this just a UI message, indicating the same as a Deny? Now, I add Delete as a scope to the same permission, and check on Delete scope in the evaluation tool, but I continue to get the same message as above. Shouldn't I be receiving a PERMIT now, as the same permission was modified to include the Delete Scope? The summary is that if I have more than one scope added to the permission, the evaluation tool returns this message. If I have only one scope in a policy, it works for me. What am I missing? Regards, Ushanas. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entit. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user