keycloak-scim/server_admin/topics/roles/role-scope-mappings.adoc

[[_role_scope_mappings]]

=== Role Scope Mappings

When an OIDC access token or SAML assertion is created, all the user role mappings of the user are, by default, added as claims
within the token or assertion.  Applications use this information to make access decisions on the resources controlled by that
application.  In {project_name}, access tokens are digitally signed and can actually be re-used by the application
to invoke on other remotely secured REST services.  This means that if an application gets compromised or there is a rogue
client registered with the realm, attackers can get access tokens that have a broad range of permissions and your whole
network is compromised.  This is where _role scope mappings_ becomes important.

_Role Scope Mappings_ is a way to limit the roles that get declared inside an access token.  When a client requests that a user
be authenticated, the access token they receive back will only contain the role mappings you've explicitly specified
for the client's scope.  This allows you to limit the permissions each individual access token has rather than giving the
client access to all of the user's permissions.  By default, each client gets all the role mappings of the user.
You can view this in the `Scope` tab of each client.

.Full Scope
image:{project_images}/full-client-scope.png[]

You can see from the picture that the effective roles of the scope are every declared role in the realm.
To change this default behavior, you must explicitly turn off the `Full Scope Allowed` switch and declare the specific roles you want in each individual
client.  Alternatively, you can also use <<_client_scopes, client scopes>>
to define the same role scope mappings for a whole set of clients.

.Partial Scope
image:{project_images}/client-scope.png[]