keycloak-scim/authorization_services/topics/policy-group-policy.adoc

[[_policy_group]]
= Group-Based Policy

You can use this type of policy to define conditions for your permissions where a set of one or more groups (and their hierarchies) is permitted to access an object.

To create a new group-based policy, select *Group* in the dropdown list in the upper right corner of the policy listing.

.Add Group-Based Policy
image:{project_images}/policy/create-group.png[alt="Add Group-Based Policy"]

== Configuration

* *Name*
+
A human-readable and unique string describing the policy. A best practice is to use names that are closely related to your business and security requirements, so you
can identify them more easily.
+
* *Description*
+
A string containing details about this policy.
+
* *Groups Claim*
+
Specifies the name of the claim in the token holding the group names and/or paths. Usually, authorization requests are processed based on an ID Token or Access Token
previously issued to a client acting on behalf of some user. If defined, the token must include a claim from where this policy is going to obtain the groups
the user is a member of. If not defined, user's groups are obtained from your realm configuration.
+
* *Groups*
+
Allows you to select the groups that should be enforced by this policy when evaluating permissions. After adding a group, you can extend access to children of the group
by marking the checkbox *Extend to Children*. If left unmarked, access restrictions only applies to the selected group.
+
* *Logic*
+
The <<_policy_logic, Logic>> of this policy to apply after the other conditions have been evaluated.
Group policy docs and minor fixes to summary 2017-09-22 18:23:59 +00:00			`[[_policy_group]]`
Convert Authorization Service to a flat topic structure (#212) * Convert Authorization Service to a flat topic structure * Fix issue with toc being cut 2017-10-09 06:38:46 +00:00			`= Group-Based Policy`
Group policy docs and minor fixes to summary 2017-09-22 18:23:59 +00:00
			`You can use this type of policy to define conditions for your permissions where a set of one or more groups (and their hierarchies) is permitted to access an object.`

			`To create a new group-based policy, select Group in the dropdown list in the upper right corner of the policy listing.`

			`.Add Group-Based Policy`
			`image:{project_images}/policy/create-group.png[alt="Add Group-Based Policy"]`

Convert Authorization Service to a flat topic structure (#212) * Convert Authorization Service to a flat topic structure * Fix issue with toc being cut 2017-10-09 06:38:46 +00:00			`== Configuration`
Group policy docs and minor fixes to summary 2017-09-22 18:23:59 +00:00
			`* Name`
			`+`
			`A human-readable and unique string describing the policy. A best practice is to use names that are closely related to your business and security requirements, so you`
			`can identify them more easily.`
			`+`
			`* Description`
			`+`
			`A string containing details about this policy.`
			`+`
			`* Groups Claim`
			`+`
			`Specifies the name of the claim in the token holding the group names and/or paths. Usually, authorization requests are processed based on an ID Token or Access Token`
[KEYCLOAK-7062] - Group Claims should be optional 2018-06-29 13:41:28 +00:00			`previously issued to a client acting on behalf of some user. If defined, the token must include a claim from where this policy is going to obtain the groups`
			`the user is a member of. If not defined, user's groups are obtained from your realm configuration.`
Group policy docs and minor fixes to summary 2017-09-22 18:23:59 +00:00			`+`
			`* Groups`
			`+`
			`Allows you to select the groups that should be enforced by this policy when evaluating permissions. After adding a group, you can extend access to children of the group`
			`by marking the checkbox Extend to Children. If left unmarked, access restrictions only applies to the selected group.`
			`+`
			`* Logic`
			`+`
			`The <<_policy_logic, Logic>> of this policy to apply after the other conditions have been evaluated.`