keycloak-scim/authorization_services/topics/resource-server/default-config.adoc

[[_resource_server_default_config]]
=== Default Configuration

When you create a resource server, {{book.project.name}} creates a default configuration for your newly created resource server.

The default configuration consists of:

* A default protected resource representing all resources in your application.
* A policy that always grants access to the resources protected by this policy.
* A permission that governs access to all resources based on the default policy.

The default protected resource is referred to as the *default resource* and you can view it if you navigate to the *Resources* tab.

.Default Resource
image:../../{{book.images}}/resource-server/default-resource.png[alt="Default Resource"]

This resource defines a `Type`, namely `urn:my-resource-server:resources:default` and a `URI` `/*`. Here, the `URI` field defines a
wildcard pattern that indicates to {{book.project.name}} that this resource represents all the paths in your application. In other words,
when enabling <<fake/../../enforcer/overview.adoc#_enforcer_overview, policy enforcement>> for your application, all the permissions associated with the resource
will be examined before granting access.

The `Type` mentioned previously defines a value that can be used to create <<fake/../../permission/typed-resource-permission.adoc#_permission_typed_resource, typed resource permissions>> that must be applied
to the default resource or any other resource you create using the same type.

The default policy is referred to as the *only from realm policy* and you can view it if you navigate to the *Policies* tab.

.Default Policy
image:../../{{book.images}}/resource-server/default-policy.png[alt="Default Policy"]

This policy is a <<fake/../../policy/js-policy.adoc#_policy_js, JavaScript-based policy>> defining a condition that always grants access to the resources protected by this policy. If you click this policy you can see that it defines a rule as follows:

```js
// by default, grants any permission associated with this policy
$evaluation.grant();
```

Lastly, the default permission is referred to as the *default permission* and you can view it if you navigate to the *Permissions* tab.

.Default Permission
image:../../{{book.images}}/resource-server/default-permission.png[alt="Default Permission"]

This permission is a <<fake/../../permission/create-resource.adoc#_permission_create_resource, resource-based permission>>, defining a set of one or more policies that are applied to all resources with a given type.

==== Changing the Default Configuration

You can change the default configuration by removing the default resource, policy, or permission definitions and creating your own.

[NOTE]
The default configuration defines a resource that maps to all paths in your application. If you are about to write permissions to your own resources, make sure
to remove the *Default Resource* or change its ```URI``` field to a more specific path in your application. Otherwise, the policy associated with the default resource (which by default is always granting access)
will make Keycloak grant access to any protected resource.
[RHSSO-599] - Replacing link with fake 2016-11-29 15:30:53 +00:00			`[[_resource_server_default_config]]`
RHSSO-599, 598: fix headers and remaining links issues 2016-12-01 14:32:11 +00:00			`=== Default Configuration`
Updating docs with latest changes. 2016-06-16 17:08:04 +00:00
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`When you create a resource server, {{book.project.name}} creates a default configuration for your newly created resource server.`
Updating docs with latest changes. 2016-06-16 17:08:04 +00:00
			`The default configuration consists of:`

			`* A default protected resource representing all resources in your application.`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`* A policy that always grants access to the resources protected by this policy.`
Updating docs with latest changes. 2016-06-16 17:08:04 +00:00			`* A permission that governs access to all resources based on the default policy.`

General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			`The default protected resource is referred to as the default resource and you can view it if you navigate to the Resources tab.`
Updating docs with latest changes. 2016-06-16 17:08:04 +00:00
			`.Default Resource`
[RHSSO-471] - Adding RH-SSO images 2017-01-05 16:54:31 +00:00			`image:../../{{book.images}}/resource-server/default-resource.png[alt="Default Resource"]`
Updating docs with latest changes. 2016-06-16 17:08:04 +00:00
General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			This resource defines a `Type`, namely `urn:my-resource-server:resources:default` and a `URI` `/*`. Here, the `URI` field defines a
			`wildcard pattern that indicates to {{book.project.name}} that this resource represents all the paths in your application. In other words,`
[RHSSO-599] - Replacing link with fake 2016-11-29 15:30:53 +00:00			`when enabling <<fake/../../enforcer/overview.adoc#_enforcer_overview, policy enforcement>> for your application, all the permissions associated with the resource`
General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			`will be examined before granting access.`
Updating docs with latest changes. 2016-06-16 17:08:04 +00:00
[RHSSO-599] - Replacing link with fake 2016-11-29 15:30:53 +00:00			The `Type` mentioned previously defines a value that can be used to create <<fake/../../permission/typed-resource-permission.adoc#_permission_typed_resource, typed resource permissions>> that must be applied
Fixes based on Stian feedback. 2016-07-26 21:34:49 +00:00			`to the default resource or any other resource you create using the same type.`

General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			`The default policy is referred to as the only from realm policy and you can view it if you navigate to the Policies tab.`
Updating docs with latest changes. 2016-06-16 17:08:04 +00:00
			`.Default Policy`
[RHSSO-471] - Adding RH-SSO images 2017-01-05 16:54:31 +00:00			`image:../../{{book.images}}/resource-server/default-policy.png[alt="Default Policy"]`
Updating docs with latest changes. 2016-06-16 17:08:04 +00:00
[RHSSO-599] - Replacing link with fake 2016-11-29 15:30:53 +00:00			`This policy is a <<fake/../../policy/js-policy.adoc#_policy_js, JavaScript-based policy>> defining a condition that always grants access to the resources protected by this policy. If you click this policy you can see that it defines a rule as follows:`
Updating docs with latest changes. 2016-06-16 17:08:04 +00:00
			```js
Fixes based on Stian feedback. 2016-07-26 21:34:49 +00:00			`// by default, grants any permission associated with this policy`
			`$evaluation.grant();`
Updating docs with latest changes. 2016-06-16 17:08:04 +00:00			```

General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			`Lastly, the default permission is referred to as the default permission and you can view it if you navigate to the Permissions tab.`
Updating docs with latest changes. 2016-06-16 17:08:04 +00:00
			`.Default Permission`
[RHSSO-471] - Adding RH-SSO images 2017-01-05 16:54:31 +00:00			`image:../../{{book.images}}/resource-server/default-permission.png[alt="Default Permission"]`
Updating docs with latest changes. 2016-06-16 17:08:04 +00:00
[RHSSO-599] - Replacing link with fake 2016-11-29 15:30:53 +00:00			`This permission is a <<fake/../../permission/create-resource.adoc#_permission_create_resource, resource-based permission>>, defining a set of one or more policies that are applied to all resources with a given type.`
Updating docs with latest changes. 2016-06-16 17:08:04 +00:00
fixing remaining header issues so TOC levels are correct 2016-12-02 16:58:27 +00:00			`==== Changing the Default Configuration`
Updating docs with latest changes. 2016-06-16 17:08:04 +00:00
Update default-config.adoc 2017-03-14 07:15:30 +00:00			`You can change the default configuration by removing the default resource, policy, or permission definitions and creating your own.`

			`[NOTE]`
			`The default configuration defines a resource that maps to all paths in your application. If you are about to write permissions to your own resources, make sure`
			to remove the Default Resource or change its ```URI``` field to a more specific path in your application. Otherwise, the policy associated with the default resource (which by default is always granting access)
			`will make Keycloak grant access to any protected resource.`