keycloak-scim/topics/policy/role-policy-required-role.adoc

== Defining a Role as Required

When creating a role-based policy, you may mark a specific role as `Required`. When you do that, the policy will grant access
only if the user asking for access is granted with *all* the *required* roles. Both realm and client roles can be configured as such.

.Example of Required Role
image:../../images/policy/create-role.png[alt="Example of Required Role"]

To mark a role as required, mark the `Required` checkbox on the role you want to configure as required.

Required roles can be very handy when your policy defines multiple roles but only a subset of them are mandatory. In this case, you can mix realm and client roles to enable an
even more fine-grained RBAC model for your application. For instance, you may have policies specific for a client and require a specific client role associated with that client. Or you can just
enforce that access is granted only in the presence of a specific realm role. Or even have both approaches within the same policy.
Updating role policy and adding more doc 2016-07-28 16:45:07 +00:00			`== Defining a Role as Required`

[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			When creating a role-based policy, you may mark a specific role as `Required`. When you do that, the policy will grant access
			`only if the user asking for access is granted with all the required roles. Both realm and client roles can be configured as such.`
Updating role policy and adding more doc 2016-07-28 16:45:07 +00:00
			`.Example of Required Role`
			`image:../../images/policy/create-role.png[alt="Example of Required Role"]`

[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			To mark a role as required, mark the `Required` checkbox on the role you want to configure as required.
Updating role policy and adding more doc 2016-07-28 16:45:07 +00:00
			`Required roles can be very handy when your policy defines multiple roles but only a subset of them are mandatory. In this case, you can mix realm and client roles to enable an`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`even more fine-grained RBAC model for your application. For instance, you may have policies specific for a client and require a specific client role associated with that client. Or you can just`
			`enforce that access is granted only in the presence of a specific realm role. Or even have both approaches within the same policy.`