keycloak-scim/topics/policy/role-policy.adoc

== Role-Based Policy

This type of policy allows you to define conditions for your permissions where only a set of one or more roles is allowed
to access an object.

By default, roles added to this policy are not marked as required and the policy will grant access if the user asking for access has any of these roles. However, {{book.project.name}} also allows you
to mark a specific role as link:role-policy-required-role.adoc[required] in case you want to enforce the presence of a role. You can even mix required and non-required roles, regardless of whether they are realm
or client roles.

Role policies can be very useful when you need a more restricted role-based access control (RBAC), where specific roles must be present in order to grant access to an object. For instance,
you may enforce that a user must consent to letting a client application (which is acting on his behalf) access his resources. Here you can benefit from {{book.project.name}} Client Scope Mapping to
enable consent pages or even enforce clients to explicitly provide a scope when obtaining access tokens from a {{book.project.name}} server.

To create a new Role-based policy, select the option *Role-Based* in the dropdown located in the right upper corner of the permission listing.

.Add Role-Based Policy
image:../../images/policy/create-role.png[alt="Add Role-Based Policy"]

=== Configuration

* *Name*
+
A human-readable and unique string describing the policy. We strongly suggest that you use names that are closely related with your business and security requirements, so you
can identify them more easily and also know what they actually mean.
+
* *Description*
+
A string with more details about this policy.
+
* *Realm Roles*
+
Specifies which *realm* role(s) are allowed by this policy.
+
* *Client Roles*
+
Specifies which *client* role(s) are allowed by this policy. To enable this field you need to select a `Client` first.
+
* *Logic*
+
The link:logic.html[Logic] of this policy to apply after the other conditions have been evaluated.
More doc 2016-06-05 22:17:31 +00:00			`== Role-Based Policy`

			`This type of policy allows you to define conditions for your permissions where only a set of one or more roles is allowed`
			`to access an object.`

Updating role policy and adding more doc 2016-07-28 16:45:07 +00:00			`By default, roles added to this policy are not marked as required and the policy will grant access if the user asking for access has any of these roles. However, {{book.project.name}} also allows you`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`to mark a specific role as link:role-policy-required-role.adoc[required] in case you want to enforce the presence of a role. You can even mix required and non-required roles, regardless of whether they are realm`
Updating role policy and adding more doc 2016-07-28 16:45:07 +00:00			`or client roles.`

[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`Role policies can be very useful when you need a more restricted role-based access control (RBAC), where specific roles must be present in order to grant access to an object. For instance,`
			`you may enforce that a user must consent to letting a client application (which is acting on his behalf) access his resources. Here you can benefit from {{book.project.name}} Client Scope Mapping to`
Updating role policy and adding more doc 2016-07-28 16:45:07 +00:00			`enable consent pages or even enforce clients to explicitly provide a scope when obtaining access tokens from a {{book.project.name}} server.`

[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`To create a new Role-based policy, select the option Role-Based in the dropdown located in the right upper corner of the permission listing.`
More screenshots. Reviewing getting started tutorials. 2016-06-14 23:50:50 +00:00
			`.Add Role-Based Policy`
			`image:../../images/policy/create-role.png[alt="Add Role-Based Policy"]`

More doc 2016-06-05 22:17:31 +00:00			`=== Configuration`

			`* Name`
			`+`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`A human-readable and unique string describing the policy. We strongly suggest that you use names that are closely related with your business and security requirements, so you`
			`can identify them more easily and also know what they actually mean.`
More doc 2016-06-05 22:17:31 +00:00			`+`
			`* Description`
			`+`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`A string with more details about this policy.`
More doc 2016-06-05 22:17:31 +00:00			`+`
Updating role policy and adding more doc 2016-07-28 16:45:07 +00:00			`* Realm Roles`
			`+`
			`Specifies which realm role(s) are allowed by this policy.`
			`+`
			`* Client Roles`
More doc 2016-06-05 22:17:31 +00:00			`+`
Updating role policy and adding more doc 2016-07-28 16:45:07 +00:00			Specifies which client role(s) are allowed by this policy. To enable this field you need to select a `Client` first.
More doc 2016-06-05 22:17:31 +00:00			`+`
			`* Logic`
			`+`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`The link:logic.html[Logic] of this policy to apply after the other conditions have been evaluated.`