[KEYCLOAK-8289] - Remove authorization services from product preview profile

common/src/main/java/org/keycloak/common/Profile.java

@@ -34,7 +34,7 @@ public class Profile {
 
     public enum Feature {
         ACCOUNT2,
-        AUTHORIZATION,
+        ADMIN_FINE_GRAINED_AUTHZ,
         DOCKER,
         IMPERSONATION,
         OPENSHIFT_INTEGRATION,
@@ -54,7 +54,7 @@ public class Profile {
     }
 
     private enum ProfileValue {
-        PRODUCT(Feature.AUTHORIZATION, Feature.SCRIPTS, Feature.DOCKER, Feature.ACCOUNT2, Feature.TOKEN_EXCHANGE),
+        PRODUCT(Feature.ADMIN_FINE_GRAINED_AUTHZ, Feature.SCRIPTS, Feature.DOCKER, Feature.ACCOUNT2, Feature.TOKEN_EXCHANGE),
         PREVIEW(Feature.ACCOUNT2),
         COMMUNITY(Feature.DOCKER, Feature.ACCOUNT2);
 

server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java

@@ -547,13 +547,11 @@ public class ModelToRepresentation {
             rep.setProtocolMappers(mappings);
         }
 
-        if (Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION)) {
+        AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
-            AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
+        ResourceServer resourceServer = authorization.getStoreFactory().getResourceServerStore().findById(clientModel.getId());
-            ResourceServer resourceServer = authorization.getStoreFactory().getResourceServerStore().findById(clientModel.getId());
 
-            if (resourceServer != null) {
+        if (resourceServer != null) {
-                rep.setAuthorizationServicesEnabled(true);
+            rep.setAuthorizationServicesEnabled(true);
-            }
         }
 
         return rep;

services/src/main/java/org/keycloak/services/resources/RealmsResource.java

@@ -257,8 +257,6 @@ public class RealmsResource {
 
     @Path("{realm}/authz")
     public Object getAuthorizationService(@PathParam("realm") String name) {
-        ProfileHelper.requireFeature(Profile.Feature.AUTHORIZATION);
-
         init(name);
         AuthorizationProvider authorization = this.session.getProvider(AuthorizationProvider.class);
         AuthorizationService service = new AuthorizationService(authorization);

services/src/main/java/org/keycloak/services/resources/account/AccountConsole.java

@@ -109,7 +109,7 @@ public class AccountConsole {
             
             EventStoreProvider eventStore = session.getProvider(EventStoreProvider.class);
             map.put("isEventsEnabled", eventStore != null && realm.isEventsEnabled());
-            map.put("isAuthorizationEnabled", Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION));
+            map.put("isAuthorizationEnabled", true);
 
             FreeMarkerUtil freeMarkerUtil = new FreeMarkerUtil();
             String result = freeMarkerUtil.processTemplate(map, "index.ftl", theme);

services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java

@@ -172,7 +172,7 @@ public class AccountFormService extends AbstractSecuredLocalService {
             account.setUser(auth.getUser());
         }
 
-        account.setFeatures(realm.isIdentityFederationEnabled(), eventStore != null && realm.isEventsEnabled(), true, Profile.isFeatureEnabled(Feature.AUTHORIZATION));
+        account.setFeatures(realm.isIdentityFederationEnabled(), eventStore != null && realm.isEventsEnabled(), true, true);
     }
 
     public static UriBuilder accountServiceBaseUrl(UriInfo uriInfo) {

services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java

@@ -606,8 +606,6 @@ public class ClientResource {
 
     @Path("/authz")
     public AuthorizationService authorization() {
-        ProfileHelper.requireFeature(Profile.Feature.AUTHORIZATION);
-
         AuthorizationService resource = new AuthorizationService(this.session, this.client, this.auth, adminEvent);
 
         ResteasyProviderFactory.getInstance().injectProperties(resource);
@@ -691,12 +689,10 @@ public class ClientResource {
     }
 
     private void updateAuthorizationSettings(ClientRepresentation rep) {
-        if (Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION)) {
+        if (TRUE.equals(rep.getAuthorizationServicesEnabled())) {
-            if (TRUE.equals(rep.getAuthorizationServicesEnabled())) {
+            authorization().enable(false);
-                authorization().enable(false);
+        } else {
-            } else {
+            authorization().disable();
-                authorization().disable();
-            }
         }
     }
 }

services/src/main/java/org/keycloak/services/resources/admin/ClientsResource.java

@@ -177,17 +177,15 @@ public class ClientsResource {
 
             adminEvent.operation(OperationType.CREATE).resourcePath(session.getContext().getUri(), clientModel.getId()).representation(rep).success();
 
-            if (Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION)) {
+            if (TRUE.equals(rep.getAuthorizationServicesEnabled())) {
-                if (TRUE.equals(rep.getAuthorizationServicesEnabled())) {
+                AuthorizationService authorizationService = getAuthorizationService(clientModel);
-                    AuthorizationService authorizationService = getAuthorizationService(clientModel);
 
-                    authorizationService.enable(true);
+                authorizationService.enable(true);
 
-                    ResourceServerRepresentation authorizationSettings = rep.getAuthorizationSettings();
+                ResourceServerRepresentation authorizationSettings = rep.getAuthorizationSettings();
 
-                    if (authorizationSettings != null) {
+                if (authorizationSettings != null) {
-                        authorizationService.resourceServer().importSettings(authorizationSettings);
+                    authorizationService.resourceServer().importSettings(authorizationSettings);
-                    }
                 }
             }
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractBaseServletAuthzAdapterTest.java

@@ -55,9 +55,6 @@ public abstract class AbstractBaseServletAuthzAdapterTest extends AbstractExampl
     protected static final String REALM_NAME = "servlet-authz";
     protected static final String RESOURCE_SERVER_ID = "servlet-authz-app";
 
-    @BeforeClass
-    public static void enabled() { ProfileAssume.assumePreview(); }
-
     @ArquillianResource
     private Deployer deployer;
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractPhotozExampleAdapterTest.java

@@ -122,9 +122,6 @@ public abstract class AbstractPhotozExampleAdapterTest extends AbstractExampleAd
         testRealmPage.setAuthRealm(REALM_NAME);
     }
 
-    @BeforeClass
-    public static void enabled() { ProfileAssume.assumePreview(); }
-
     @Before
     public void beforePhotozExampleAdapterTest() throws Exception {
         DroneUtils.addWebDriver(jsDriver);

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/DefaultAuthzConfigAdapterTest.java

@@ -57,9 +57,6 @@ public class DefaultAuthzConfigAdapterTest extends AbstractExampleAdapterTest {
     private static final String REALM_NAME = "hello-world-authz";
     private static final String RESOURCE_SERVER_ID = "hello-world-authz-service";
 
-    @BeforeClass
-    public static void enabled() { ProfileAssume.assumePreview(); }
-
     @ArquillianResource
     private Deployer deployer;
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/ServletPolicyEnforcerTest.java

@@ -63,9 +63,6 @@ public class ServletPolicyEnforcerTest extends AbstractExampleAdapterTest {
     protected static final String REALM_NAME = "servlet-policy-enforcer-authz";
     protected static final String RESOURCE_SERVER_ID = "servlet-policy-enforcer";
 
-    @BeforeClass
-    public static void enabled() { ProfileAssume.assumePreview(); }
-
     @ArquillianResource
     private Deployer deployer;
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java

@@ -50,11 +50,6 @@ import org.keycloak.util.JsonSerialization;
  */
 public class AuthzCleanupTest extends AbstractKeycloakTest {
 
-    @BeforeClass
-    public static void enabled() {
-        ProfileAssume.assumePreview();
-    }
-
     @Deployment
     public static WebArchive deploy() {
         return RunOnServerDeployment.create();

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java

@@ -809,8 +809,6 @@ public class PermissionsTest extends AbstractKeycloakTest {
 
     @Test
     public void clientAuthorization() {
-        ProfileAssume.assumePreview();
-
         ClientRepresentation newClient = new ClientRepresentation();
         newClient.setClientId("foo-authz");
         adminClient.realms().realm(REALM_NAME).clients().create(newClient);

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/InstallationTest.java

@@ -128,8 +128,6 @@ public class InstallationTest extends AbstractClientTest {
 
     @Test
     public void testOidcBearerOnlyWithAuthzJson() {
-        ProfileAssume.assumePreview();
-
         oidcBearerOnlyClientWithAuthzId = createOidcBearerOnlyClientWithAuthz(OIDC_NAME_BEARER_ONLY_WITH_AUTHZ_NAME);
         oidcBearerOnlyClientWithAuthz = findClientResource(OIDC_NAME_BEARER_ONLY_WITH_AUTHZ_NAME);
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AbstractAuthorizationTest.java

@@ -57,11 +57,6 @@ public abstract class AbstractAuthorizationTest extends AbstractClientTest {
         return "authz-test";
     }
 
-    @BeforeClass
-    public static void enabled() {
-        ProfileAssume.assumePreview();
-    }
-
     @Override
     public void addTestRealms(List<RealmRepresentation> testRealms) {
         testRealms.add(createTestRealm().build());

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AbstractPolicyManagementTest.java

@@ -52,11 +52,6 @@ import org.keycloak.testsuite.util.UserBuilder;
  */
 public abstract class AbstractPolicyManagementTest extends AbstractKeycloakTest {
 
-    @BeforeClass
-    public static void enabled() {
-        ProfileAssume.assumePreview();
-    }
-
     @Override
     public void addTestRealms(List<RealmRepresentation> testRealms) {
         testRealms.add(createTestRealm().build());

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AuthorizationDisabledInPreviewTest.java

@@ -1,53 +0,0 @@
-/*
- * Copyright 2016 Red Hat, Inc. and/or its affiliates
- * and other contributors as indicated by the @author tags.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.keycloak.testsuite.admin.client.authorization;
-
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.keycloak.testsuite.ProfileAssume;
-import org.keycloak.testsuite.admin.client.AbstractClientTest;
-
-import javax.ws.rs.ServerErrorException;
-import javax.ws.rs.core.Response;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.fail;
-
-/**
- * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
- */
-public class AuthorizationDisabledInPreviewTest extends AbstractClientTest {
-
-    @BeforeClass
-    public static void enabled() {
-        ProfileAssume.assumePreviewDisabled();
-    }
-
-    @Test
-    public void testAuthzServicesRemoved() {
-        String id = testRealmResource().clients().findAll().get(0).getId();
-        try {
-            testRealmResource().clients().get(id).authorization().getSettings();
-        } catch (ServerErrorException e) {
-            assertEquals(Response.Status.NOT_IMPLEMENTED.getStatusCode(), e.getResponse().getStatus());
-            return;
-        }
-        fail("Feature Authorization should be disabled.");
-    }
-
-}

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ClaimInformationPointProviderTest.java

@@ -75,7 +75,6 @@ public class ClaimInformationPointProviderTest extends AbstractKeycloakTest {
 
     @BeforeClass
     public static void onBeforeClass() {
-        ProfileAssume.assumePreview();
         httpService = Undertow.builder().addHttpListener(8989, "localhost").setHandler(exchange -> {
             if (exchange.isInIoThread()) {
                 try {

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/EnforcerConfigTest.java

@@ -40,9 +40,6 @@ import static org.keycloak.testsuite.utils.io.IOUtil.loadRealm;
  */
 public class EnforcerConfigTest extends AbstractKeycloakTest {
 
-    @BeforeClass
-    public static void enabled() { ProfileAssume.assumePreview(); }
-
     @Override
     public void addTestRealms(List<RealmRepresentation> testRealms) {
         RealmRepresentation realm = loadRealm(getClass().getResourceAsStream("/authorization-test/test-authz-realm.json"));

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerClaimsTest.java

@@ -82,11 +82,6 @@ public class PolicyEnforcerClaimsTest extends AbstractKeycloakTest {
 
     protected static final String REALM_NAME = "authz-test";
 
-    @BeforeClass
-    public static void onBeforeClass() {
-        ProfileAssume.assumePreview();
-    }
-
     @Override
     public void addTestRealms(List<RealmRepresentation> testRealms) {
         testRealms.add(RealmBuilder.create().name(REALM_NAME)

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java

@@ -86,11 +86,6 @@ public class PolicyEnforcerTest extends AbstractKeycloakTest {
 
     protected static final String REALM_NAME = "authz-test";
 
-    @BeforeClass
-    public static void onBeforeClass() {
-        ProfileAssume.assumePreview();
-    }
-
     @Override
     public void addTestRealms(List<RealmRepresentation> testRealms) {
         testRealms.add(RealmBuilder.create().name(REALM_NAME)

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/AbstractAuthzTest.java

@@ -12,11 +12,6 @@ import org.keycloak.testsuite.ProfileAssume;
  */
 public abstract class AbstractAuthzTest extends AbstractKeycloakTest {
 
-    @BeforeClass
-    public static void enabled() {
-        ProfileAssume.assumePreview();
-    }
-
     protected AccessToken toAccessToken(String rpt) {
         AccessToken accessToken;
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/crossdc/InvalidationCrossDCTest.java

@@ -182,8 +182,6 @@ public class InvalidationCrossDCTest extends AbstractAdminCrossDCTest {
 
     @Test
     public void authzResourceInvalidationTest() throws Exception {
-        ProfileAssume.assumePreview();
-        
         enableDcOnLoadBalancer(DC.FIRST);
         enableDcOnLoadBalancer(DC.SECOND);
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/exportimport/ExportImportUtil.java

@@ -384,9 +384,7 @@ public class ExportImportUtil {
         Assert.assertNotNull(linked);
         Assert.assertEquals("my-service-user", linked.getUsername());
         
-        if (Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION)) {
+        assertAuthorizationSettings(realmRsc);
-            assertAuthorizationSettings(realmRsc);
-        }
     }
 
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ScriptAuthenticatorTest.java

@@ -64,11 +64,6 @@ public class ScriptAuthenticatorTest extends AbstractFlowTest {
 
     public static final String EXECUTION_ID = "scriptAuth";
 
-    @BeforeClass
-    public static void enabled() {
-        ProfileAssume.assumePreview();
-    }
-
     @Override
     public void configureTestRealm(RealmRepresentation testRealm) {
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/migration/AbstractMigrationTest.java

@@ -355,8 +355,6 @@ public abstract class AbstractMigrationTest extends AbstractKeycloakTest {
     }
 
     private void testResourceWithMultipleUris() {
-        ProfileAssume.assumeFeatureEnabled(Profile.Feature.AUTHORIZATION);
-        
         ClientsResource clients = migrationRealm.clients();
         ClientRepresentation clientRepresentation = clients.findByClientId("authz-servlet").get(0);
         ResourceRepresentation resource = clients.get(clientRepresentation.getId()).authorization().resources().findByName("Protected Resource").get(0);

testsuite/integration-arquillian/tests/other/console/src/test/java/org/keycloak/testsuite/console/authorization/AbstractAuthorizationSettingsTest.java

@@ -43,11 +43,6 @@ public abstract class AbstractAuthorizationSettingsTest extends AbstractClientTe
 
     protected ClientRepresentation newClient;
 
-    @BeforeClass
-    public static void enabled() {
-        ProfileAssume.assumePreview();
-    }
-
     @Before
     public void configureTest() {
         this.newClient = createResourceServer();

testsuite/integration-arquillian/tests/other/console/src/test/java/org/keycloak/testsuite/console/clients/ClientAuthorizationServicesAvailableTest.java

@@ -1,64 +0,0 @@
-/*
- * Copyright 2016 Red Hat, Inc. and/or its affiliates
- * and other contributors as indicated by the @author tags.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.keycloak.testsuite.console.clients;
-
-import org.jboss.arquillian.graphene.page.Page;
-import org.junit.Test;
-import org.keycloak.representations.idm.ClientRepresentation;
-import org.keycloak.testsuite.ProfileAssume;
-import org.keycloak.testsuite.console.page.clients.settings.ClientSettings;
-import org.openqa.selenium.By;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.keycloak.testsuite.auth.page.login.Login.OIDC;
-
-/**
- *
- * @author <a href="mailto:vramik@redhat.com">Vlastislav Ramik</a>
- */
-public class ClientAuthorizationServicesAvailableTest extends AbstractClientTest {
-
-    private ClientRepresentation newClient;
-
-    @Page
-    private ClientSettings clientSettingsPage;
-
-    @Test
-    public void authzServicesAvailable() {
-        ProfileAssume.assumePreview();
-
-        newClient = createClientRep("oidc-public", OIDC);
-        createClient(newClient);
-        assertEquals("oidc-public", clientSettingsPage.form().getClientId());
-
-        assertTrue(driver.findElement(By.xpath("//*[@for='authorizationServicesEnabled']")).isDisplayed());
-    }
-
-    @Test
-    public void authzServicesUnavailable() throws InterruptedException {
-        ProfileAssume.assumePreviewDisabled();
-
-        newClient = createClientRep("oidc-public", OIDC);
-        createClient(newClient);
-        assertEquals("oidc-public", clientSettingsPage.form().getClientId());
-
-        assertFalse(driver.findElement(By.xpath("//*[@for='authorizationServicesEnabled']")).isDisplayed());
-
-    }
-}

themes/src/main/resources/theme/base/admin/resources/partials/client-detail.html

@@ -132,7 +132,7 @@
                     <input ng-model="clientEdit.serviceAccountsEnabled" name="serviceAccountsEnabled" id="serviceAccountsEnabled" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
                 </div>
             </div>
-            <div class="form-group" data-ng-show="serverInfo.featureEnabled('AUTHORIZATION') && protocol == 'openid-connect'">
+            <div class="form-group" data-ng-show="protocol == 'openid-connect'">
                 <label class="col-md-2 control-label" for="authorizationServicesEnabled">{{:: 'authz-authorization-services-enabled' | translate}}</label>
                 <kc-tooltip>{{:: 'authz-authorization-services-enabled.tooltip' | translate}}</kc-tooltip>
                 <div class="col-md-6">

themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client-role.html

@@ -5,7 +5,7 @@
 
     <ul class="nav nav-tabs" data-ng-show="!create">
         <li ng-class="{active: !path[6]}"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/roles/{{role.id}}">{{:: 'details' | translate}}</a></li>
-        <li ng-class="{active: path[6] && path[6] == 'permissions'}" data-ng-show="serverInfo.featureEnabled('AUTHORIZATION') && access.manageAuthorization && client.access.configure">
+        <li ng-class="{active: path[6] && path[6] == 'permissions'}" data-ng-show="serverInfo.featureEnabled('ADMIN_FINE_GRAINED_AUTHZ') && access.manageAuthorization && client.access.configure">
             <a href="#/realms/{{realm.realm}}/clients/{{client.id}}/roles/{{role.id}}/permissions">{{:: 'authz-permissions' | translate}}</a>
             <kc-tooltip>{{:: 'manage-permissions-role.tooltip' | translate}}</kc-tooltip>
         </li>

themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client.html

@@ -27,7 +27,7 @@
             <kc-tooltip>{{:: 'scope.tooltip' | translate}}</kc-tooltip>
         </li>
         <li ng-class="{active: path[4] == 'authz'}"
-            data-ng-show="serverInfo.featureEnabled('AUTHORIZATION') && !disableAuthorizationTab && client.authorizationServicesEnabled && !client.origin">
+            data-ng-show="!disableAuthorizationTab && client.authorizationServicesEnabled && !client.origin">
             <a href="#/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server">{{:: 'authz-authorization' |
                 translate}}</a></li>
         <li ng-class="{active: path[4] == 'revocation'}" data-ng-show="client.protocol != 'docker-v2' && client.protocol != 'saml' && !client.origin"><a
@@ -55,7 +55,7 @@
             <a href="#/realms/{{realm.realm}}/clients/{{client.id}}/service-account-roles">{{:: 'service-account-roles' | translate}}</a>
             <kc-tooltip>{{:: 'service-account-roles.tooltip' | translate}}</kc-tooltip>
         </li>
-        <li ng-class="{active: path[4] == 'permissions'}" data-ng-show="serverInfo.featureEnabled('AUTHORIZATION') && client.access.manage && access.manageAuthorization">
+        <li ng-class="{active: path[4] == 'permissions'}" data-ng-show="serverInfo.featureEnabled('ADMIN_FINE_GRAINED_AUTHZ') && client.access.manage && access.manageAuthorization">
             <a href="#/realms/{{realm.realm}}/clients/{{client.id}}/permissions">{{:: 'authz-permissions' | translate}}</a>
             <kc-tooltip>{{:: 'manage-permissions-client.tooltip' | translate}}</kc-tooltip>
         </li>

themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-group.html

@@ -9,7 +9,7 @@
         <li ng-class="{active: path[4] == 'attributes'}"><a href="#/realms/{{realm.realm}}/groups/{{group.id}}/attributes">{{:: 'attributes' | translate}}</a></li>
         <li ng-class="{active: path[4] == 'role-mappings'}" ><a href="#/realms/{{realm.realm}}/groups/{{group.id}}/role-mappings">{{:: 'role-mappings' | translate}}</a></li>
         <li ng-class="{active: path[4] == 'members'}"><a href="#/realms/{{realm.realm}}/groups/{{group.id}}/members">{{:: 'members' | translate}}</a></li>
-        <li ng-class="{active: path[4] == 'permissions'}" data-ng-show="serverInfo.featureEnabled('AUTHORIZATION') && group.access.manage && access.manageAuthorization">
+        <li ng-class="{active: path[4] == 'permissions'}" data-ng-show="serverInfo.featureEnabled('ADMIN_FINE_GRAINED_AUTHZ') && group.access.manage && access.manageAuthorization">
             <a href="#/realms/{{realm.realm}}/groups/{{group.id}}/permissions">{{:: 'authz-permissions' | translate}}</a>
             <kc-tooltip>{{:: 'manage-permissions-group.tooltip' | translate}}</kc-tooltip>
         </li>

themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-identity-provider.html

@@ -12,6 +12,6 @@
         <li ng-class="{active: !path[6] && path.length > 5}"><a href="#/realms/{{realm.realm}}/identity-provider-settings/provider/{{identityProvider.providerId}}/{{identityProvider.alias}}">{{:: 'settings' | translate}}</a></li>
         <li ng-class="{active: path[4] == 'mappers'}"><a href="#/realms/{{realm.realm}}/identity-provider-mappers/{{identityProvider.alias}}/mappers">{{:: 'mappers' | translate}}</a></li>
         <li ng-class="{active: path[6] == 'export'}"><a href="#/realms/{{realm.realm}}/identity-provider-settings/provider/{{identityProvider.providerId}}/{{identityProvider.alias}}/export" data-ng-show="!importFile && !newIdentityProvider && identityProvider.providerId == 'saml'">{{:: 'export' | translate}}</a></li>
-        <li ng-class="{active: path[6] == 'permissions'}" data-ng-show="serverInfo.featureEnabled('AUTHORIZATION') && !newIdentityProvider && access.manageAuthorization"><a href="#/realms/{{realm.realm}}/identity-provider-settings/provider/{{identityProvider.providerId}}/{{identityProvider.alias}}/permissions">{{:: 'authz-permissions' | translate}}</a></li>
+        <li ng-class="{active: path[6] == 'permissions'}" data-ng-show="serverInfo.featureEnabled('ADMIN_FINE_GRAINED_AUTHZ') && !newIdentityProvider && access.manageAuthorization"><a href="#/realms/{{realm.realm}}/identity-provider-settings/provider/{{identityProvider.providerId}}/{{identityProvider.alias}}/permissions">{{:: 'authz-permissions' | translate}}</a></li>
     </ul>
 </div>

themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-role.html

@@ -5,7 +5,7 @@
 
     <ul class="nav nav-tabs" data-ng-show="!create">
         <li ng-class="{active: !path[4]}"><a href="#/realms/{{realm.realm}}/roles/{{role.id}}">{{:: 'details' | translate}}</a></li>
-        <li ng-class="{active: path[4] == 'permissions'}" data-ng-show="serverInfo.featureEnabled('AUTHORIZATION') && access.manageRealm && access.manageAuthorization">
+        <li ng-class="{active: path[4] == 'permissions'}" data-ng-show="serverInfo.featureEnabled('ADMIN_FINE_GRAINED_AUTHZ') && access.manageRealm && access.manageAuthorization">
             <a href="#/realms/{{realm.realm}}/roles/{{role.id}}/permissions">{{:: 'authz-permissions' | translate}}</a>
             <kc-tooltip>{{:: 'manage-permissions-role.tooltip' | translate}}</kc-tooltip>
         </li>

themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-users.html

@@ -3,7 +3,7 @@
 
     <ul class="nav nav-tabs">
         <li ng-class="{active: path[2] == 'users'}"><a href="#/realms/{{realm.realm}}/users">{{:: 'lookup' | translate}}</a></li>
-        <li ng-class="{active: path[2] == 'users-permissions'}" data-ng-show="serverInfo.featureEnabled('AUTHORIZATION') && access.manageUsers && access.manageAuthorization">
+        <li ng-class="{active: path[2] == 'users-permissions'}" data-ng-show="serverInfo.featureEnabled('ADMIN_FINE_GRAINED_AUTHZ') && access.manageUsers && access.manageAuthorization">
             <a href="#/realms/{{realm.realm}}/users-permissions">{{:: 'authz-permissions' | translate}}</a>
             <kc-tooltip>{{:: 'manage-permissions-users.tooltip' | translate}}</kc-tooltip>
         </li>