When I'm testing my policies using the Policy Evaluation Tool, I am unable to get the administration application to return any client based roles so that I can test that scenario (currently it only allows me to specify realm based roles). Is this because we shouldn't be testing the client based roles or does the tool simply not support that feature yet. My setup is as follows: * ?No roles are defined at the realm level * Client has defined 2 roles (read/write) * Policy has been setup to allow reading for specific client (using client role). The client role 'read' is required * Permission has been setup to associate the policy with a particular resource's authorization scope. I setup all of the roles under the client so that I don't pollute the realm roles with application specific settings, but potentially that isn't how keycloak is supposed to be used. ? Thanks, Jeremy Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of my firm shall be understood as neither given nor endorsed by it.