Applications, by default, have a full scope of all realm and all applications' roles. This is a flag stored in "fullScopeAllowed" in the Client model. It is a switch called "Full Scope Allowed". I don't know if there is a better name for it or not. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com