keycloak-scim/server_admin/topics/roles-groups/con-role-scope-mappings.adoc

[id="con-role-scope-mappings_{context}"]

[[_role_scope_mappings]]

= Role Scope Mappings
[role="_abstract"]
On creation of an OIDC access token or SAML assertion, the user role mappings become claims within the token or assertion.  Applications use these claims to make access decisions on the resources controlled by the application.  {project_name} digitally signs access tokens and applications re-use them to invoke remotely secured REST services.  However, these tokens have an associated risk. An attacker can obtain these tokens and use their permissions to compromise your networks. To prevent this situation, use _Role Scope Mappings_.

_Role Scope Mappings_ limit the roles declared inside an access token.  When a client requests a user authentication, the access token they receive contains only the role mappings that are explicitly specified for the client's scope.  The result is that you limit the permissions of each individual access token instead of giving the client access to all the users permissions.  

By default, each client gets all the role mappings of the user. You can view the role mappings in the *Scope* tab of each client.

.Full Scope
image:{project_images}/full-client-scope.png[]

By default, the effective roles of scopes are every declared role in the realm. To change this default behavior, toggle *Full Scope Allowed* to ON and declare the specific roles you want in each client.  You can also use <<_client_scopes, client scopes>> to define the same role scope mappings for a set of clients.

.Partial Scope
image:{project_images}/client-scope.png[]
KEYCLOAK-16186-2 modularizes files (#39) 2020-11-11 16:21:21 +00:00			`[id="con-role-scope-mappings_{context}"]`

KEYCLOAK-7075 Client scopes documentation (#389) 2018-06-08 13:39:15 +00:00			`[[_role_scope_mappings]]`
roles 2016-05-25 15:08:14 +00:00
applying indentation using leveloffsets 2020-12-01 23:16:31 +00:00			`= Role Scope Mappings`
KEYCLOAK-16186-2 modularizes files (#39) 2020-11-11 16:21:21 +00:00			`[role="_abstract"]`
KEYCLOAK-16186 Initial rewording (#38) * KEYCLOAK-16186 Initial rewording * Post workding feedback * post visual review changes * more post feedback changes * Update default-roles.adoc Minor correction where you include my incorrect suggestion. Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2020-11-10 18:11:10 +00:00			On creation of an OIDC access token or SAML assertion, the user role mappings become claims within the token or assertion. Applications use these claims to make access decisions on the resources controlled by the application. {project_name} digitally signs access tokens and applications re-use them to invoke remotely secured REST services. However, these tokens have an associated risk. An attacker can obtain these tokens and use their permissions to compromise your networks. To prevent this situation, use _Role Scope Mappings_.
roles 2016-05-25 15:08:14 +00:00
KEYCLOAK-16186 Initial rewording (#38) * KEYCLOAK-16186 Initial rewording * Post workding feedback * post visual review changes * more post feedback changes * Update default-roles.adoc Minor correction where you include my incorrect suggestion. Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2020-11-10 18:11:10 +00:00			`_Role Scope Mappings_ limit the roles declared inside an access token. When a client requests a user authentication, the access token they receive contains only the role mappings that are explicitly specified for the client's scope. The result is that you limit the permissions of each individual access token instead of giving the client access to all the users permissions.`

Applying bold and other changes to merge roles and groups topics. 2020-11-11 17:08:48 +00:00			`By default, each client gets all the role mappings of the user. You can view the role mappings in the Scope tab of each client.`
roles 2016-05-25 15:08:14 +00:00
			`.Full Scope`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`image:{project_images}/full-client-scope.png[]`
roles 2016-05-25 15:08:14 +00:00
INcorporates feedback (#40) 2020-11-13 14:09:23 +00:00			`By default, the effective roles of scopes are every declared role in the realm. To change this default behavior, toggle Full Scope Allowed to ON and declare the specific roles you want in each client. You can also use <<_client_scopes, client scopes>> to define the same role scope mappings for a set of clients.`
roles 2016-05-25 15:08:14 +00:00
			`.Partial Scope`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`image:{project_images}/client-scope.png[]`