keycloak-scim/server_admin/topics/roles-groups/proc-converting-composite-roles.adoc

[id="proc-converting-composite-roles_{context}"]

[[_composite-roles]]

=== Composite Roles
[role="_abstract"]
Any realm or client level role can be a _composite role_. A _composite role_ is a role that has one or more additional roles associated with it. When a composite role is mapped to a user, the user gains the roles associated with the composite role.  This inheritance is recursive so users also inherit any composite of composites. However, we recommend that composite roles are not overused.

To convert a role to a composite role:

. Click *Roles* in the menu.
. Click the role to access the roles detail page.
. Toggle *Composite Roles* to ON.

.Composite Role
image:{project_images}/composite-role.png[]

The role selection UI is displayed on the page and you can associate realm level and client level roles to the composite role you are creating.

In this example, the *employee* realm-level role is associated with the *developer* composite role.  Any user with the *developer* role also inherits the *employee* role.

[NOTE]
====
When creating tokens and SAML assertions, any composite also has its associated roles added to the claims and assertions of the authentication response sent back to the client.
====
KEYCLOAK-16186-2 modularizes files (#39) 2020-11-11 16:21:21 +00:00			`[id="proc-converting-composite-roles_{context}"]`

roles 2016-05-25 15:08:14 +00:00			`[[_composite-roles]]`

			`=== Composite Roles`
KEYCLOAK-16186-2 modularizes files (#39) 2020-11-11 16:21:21 +00:00			`[role="_abstract"]`
KEYCLOAK-15771 Updates based on peer editing agreements on clients topics and making corrections to roles and groups chapter. 2020-11-17 20:40:14 +00:00			`Any realm or client level role can be a _composite role_. A _composite role_ is a role that has one or more additional roles associated with it. When a composite role is mapped to a user, the user gains the roles associated with the composite role. This inheritance is recursive so users also inherit any composite of composites. However, we recommend that composite roles are not overused.`
roles 2016-05-25 15:08:14 +00:00
KEYCLOAK-16186 Initial rewording (#38) * KEYCLOAK-16186 Initial rewording * Post workding feedback * post visual review changes * more post feedback changes * Update default-roles.adoc Minor correction where you include my incorrect suggestion. Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2020-11-10 18:11:10 +00:00			`To convert a role to a composite role:`

INcorporates feedback (#40) 2020-11-13 14:09:23 +00:00			`. Click Roles in the menu.`
KEYCLOAK-16186 Initial rewording (#38) * KEYCLOAK-16186 Initial rewording * Post workding feedback * post visual review changes * more post feedback changes * Update default-roles.adoc Minor correction where you include my incorrect suggestion. Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2020-11-10 18:11:10 +00:00			`. Click the role to access the roles detail page.`
KEYCLOAK-15771 Updates based on peer editing agreements on clients topics and making corrections to roles and groups chapter. 2020-11-17 20:40:14 +00:00			`. Toggle Composite Roles to ON.`
roles 2016-05-25 15:08:14 +00:00
			`.Composite Role`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`image:{project_images}/composite-role.png[]`
roles 2016-05-25 15:08:14 +00:00
KEYCLOAK-16186 Initial rewording (#38) * KEYCLOAK-16186 Initial rewording * Post workding feedback * post visual review changes * more post feedback changes * Update default-roles.adoc Minor correction where you include my incorrect suggestion. Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2020-11-10 18:11:10 +00:00			`The role selection UI is displayed on the page and you can associate realm level and client level roles to the composite role you are creating.`

Applying bold and other changes to merge roles and groups topics. 2020-11-11 17:08:48 +00:00			`In this example, the employee realm-level role is associated with the developer composite role. Any user with the developer role also inherits the employee role.`
roles 2016-05-25 15:08:14 +00:00
KEYCLOAK-16186 Initial rewording (#38) * KEYCLOAK-16186 Initial rewording * Post workding feedback * post visual review changes * more post feedback changes * Update default-roles.adoc Minor correction where you include my incorrect suggestion. Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2020-11-10 18:11:10 +00:00			`[NOTE]`
			`====`
			`When creating tokens and SAML assertions, any composite also has its associated roles added to the claims and assertions of the authentication response sent back to the client.`
			`====`