keycloak-scim/topics/policy/role-policy.adoc

35 lines
1.9 KiB
Text
Raw Normal View History

2016-06-05 22:17:31 +00:00
== Role-Based Policy
You can use this type of policy to define conditions for your permissions where a set of one or more roles is permitted to access an object.
2016-06-05 22:17:31 +00:00
By default, roles added to this policy are not specified as required and the policy will grant access if the user requesting access has been granted any of these roles. However, you can specify a specific role as link:role-policy-required-role.adoc[required] if you want to enforce a specific role. You can also combine required and non-required roles, regardless of whether they are realm or client roles.
Role policies can be useful when you need more restricted role-based access control (RBAC), where specific roles must be enforced to grant access to an object. For instance, you can enforce that a user must consent to allowing a client application (which is acting on the user's behalf) to access the user's resources. You can use {{book.project.name}} Client Scope Mapping to enable consent pages or even enforce clients to explicitly provide a scope when obtaining access tokens from a {{book.project.name}} server.
To create a new role-based policy, select *Role-Based* in the dropdown list in the upper right corner of the permission listing.
.Add Role-Based Policy
image:../../images/policy/create-role.png[alt="Add Role-Based Policy"]
2016-06-05 22:17:31 +00:00
=== Configuration
* *Name*
+
A human-readable and unique string describing the policy. A best practice is to use names that are closely related to your business and security requirements, so you
can identify them more easily.
2016-06-05 22:17:31 +00:00
+
* *Description*
+
A string containing details about this policy.
2016-06-05 22:17:31 +00:00
+
* *Realm Roles*
+
Specifies which *realm* roles are permitted by this policy.
+
* *Client Roles*
2016-06-05 22:17:31 +00:00
+
Specifies which *client* roles are permitted by this policy. To enable this field must first select a `Client`.
2016-06-05 22:17:31 +00:00
+
* *Logic*
+
The link:logic.html[Logic] of this policy to apply after the other conditions have been evaluated.