keycloak-scim/authorization_services/topics/policy/role-policy.adoc

[[_policy_rbac]]
=== Role-Based Policy

You can use this type of policy to define conditions for your permissions where a set of one or more roles is permitted to access an object.

By default, roles added to this policy are not specified as required and the policy will grant access if the user requesting access has been granted any of these roles. However, you can specify a specific role as <<fake/../role-policy-required-role.adoc#_policy_rbac_required, required>> if you want to enforce a specific role. You can also combine required and non-required roles, regardless of whether they are realm or client roles.

Role policies can be useful when you need more restricted role-based access control (RBAC), where specific roles must be enforced to grant access to an object. For instance, you can enforce that a user must consent to allowing a client application (which is acting on the user's behalf) to access the user's resources. You can use {{book.project.name}} Client Scope Mapping to enable consent pages or even enforce clients to explicitly provide a scope when obtaining access tokens from a {{book.project.name}} server.

To create a new role-based policy, select *Role* in the dropdown list in the upper right corner of the policy listing.

.Add Role-Based Policy
image:../../{{book.images}}/policy/create-role.png[alt="Add Role-Based Policy"]

==== Configuration

* *Name*
+
A human-readable and unique string describing the policy. A best practice is to use names that are closely related to your business and security requirements, so you
can identify them more easily.
+
* *Description*
+
A string containing details about this policy.
+
* *Realm Roles*
+
Specifies which *realm* roles are permitted by this policy.
+
* *Client Roles*
+
Specifies which *client* roles are permitted by this policy. To enable this field must first select a `Client`.
+
* *Logic*
+
The <<fake/../logic.adoc#_policy_logic, Logic>> of this policy to apply after the other conditions have been evaluated.
[RHSSO-599] - Replacing link with fake 2016-11-29 15:30:53 +00:00			`[[_policy_rbac]]`
RHSSO-599, 598: fix headers and remaining links issues 2016-12-01 14:32:11 +00:00			`=== Role-Based Policy`
More doc 2016-06-05 22:17:31 +00:00
General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			`You can use this type of policy to define conditions for your permissions where a set of one or more roles is permitted to access an object.`
More doc 2016-06-05 22:17:31 +00:00
[RHSSO-599] - Replacing link with fake 2016-11-29 15:30:53 +00:00			`By default, roles added to this policy are not specified as required and the policy will grant access if the user requesting access has been granted any of these roles. However, you can specify a specific role as <<fake/../role-policy-required-role.adoc#_policy_rbac_required, required>> if you want to enforce a specific role. You can also combine required and non-required roles, regardless of whether they are realm or client roles.`
Updating role policy and adding more doc 2016-07-28 16:45:07 +00:00
General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			Role policies can be useful when you need more restricted role-based access control (RBAC), where specific roles must be enforced to grant access to an object. For instance, you can enforce that a user must consent to allowing a client application (which is acting on the user's behalf) to access the user's resources. You can use {{book.project.name}} Client Scope Mapping to enable consent pages or even enforce clients to explicitly provide a scope when obtaining access tokens from a {{book.project.name}} server.
Updating role policy and adding more doc 2016-07-28 16:45:07 +00:00
Some updates and fixes 2017-04-25 22:52:57 +00:00			`To create a new role-based policy, select Role in the dropdown list in the upper right corner of the policy listing.`
More screenshots. Reviewing getting started tutorials. 2016-06-14 23:50:50 +00:00
			`.Add Role-Based Policy`
[RHSSO-471] - Adding RH-SSO images 2017-01-05 16:54:31 +00:00			`image:../../{{book.images}}/policy/create-role.png[alt="Add Role-Based Policy"]`
More screenshots. Reviewing getting started tutorials. 2016-06-14 23:50:50 +00:00
RHSSO-599, 598: fix headers and remaining links issues 2016-12-01 14:32:11 +00:00			`==== Configuration`
More doc 2016-06-05 22:17:31 +00:00
			`* Name`
			`+`
General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			`A human-readable and unique string describing the policy. A best practice is to use names that are closely related to your business and security requirements, so you`
			`can identify them more easily.`
More doc 2016-06-05 22:17:31 +00:00			`+`
			`* Description`
			`+`
General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			`A string containing details about this policy.`
More doc 2016-06-05 22:17:31 +00:00			`+`
Updating role policy and adding more doc 2016-07-28 16:45:07 +00:00			`* Realm Roles`
			`+`
General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			`Specifies which realm roles are permitted by this policy.`
Updating role policy and adding more doc 2016-07-28 16:45:07 +00:00			`+`
			`* Client Roles`
More doc 2016-06-05 22:17:31 +00:00			`+`
General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			Specifies which client roles are permitted by this policy. To enable this field must first select a `Client`.
More doc 2016-06-05 22:17:31 +00:00			`+`
			`* Logic`
			`+`
[RHSSO-599] - Replacing link with fake 2016-11-29 15:30:53 +00:00			`The <<fake/../logic.adoc#_policy_logic, Logic>> of this policy to apply after the other conditions have been evaluated.`