[KEYCLOAK-3135] - Role and user policies apis

2017-04-12 00:40:03 -03:00 · 2017-04-12 00:40:03 -03:00 · eec712a259
commit eec712a259
parent 54ebc1918c
45 changed files with 1036 additions and 444 deletions
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/aggregated/AggregatePolicyAdminResource.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/aggregated/AggregatePolicyAdminResource.java
@ -1,63 +0,0 @@
 /*
 *  Copyright 2016 Red Hat, Inc. and/or its affiliates
 *  and other contributors as indicated by the @author tags.
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 */
 package org.keycloak.authorization.policy.provider.aggregated;
 import org.keycloak.authorization.model.Policy;
 import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
 import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
 import java.util.ArrayList;
 import java.util.List;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
 public class AggregatePolicyAdminResource implements PolicyProviderAdminService {
    @Override
    public void onCreate(Policy policy, AbstractPolicyRepresentation representation) {
        verifyCircularReference(policy, new ArrayList<>());
    }
    @Override
    public void onUpdate(Policy policy, AbstractPolicyRepresentation representation) {
        verifyCircularReference(policy, new ArrayList<>());
    }
    private void verifyCircularReference(Policy policy, List<String> ids) {
        if (!policy.getType().equals("aggregate")) {
            return;
        }
        if (ids.contains(policy.getId())) {
            throw new RuntimeException("Circular reference found [" + policy.getName() + "].");
        }
        ids.add(policy.getId());
        for (Policy associated : policy.getAssociatedPolicies()) {
            verifyCircularReference(associated, ids);
        }
    }
    @Override
    public void onRemove(Policy policy) {
    }
 }
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/aggregated/AggregatePolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/aggregated/AggregatePolicyProviderFactory.java
@ -17,19 +17,24 @@
 */
 package org.keycloak.authorization.policy.provider.aggregated;
 import java.util.ArrayList;
 import java.util.List;
 import org.keycloak.Config;
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.model.Policy;
 import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.authorization.policy.provider.PolicyProvider;
 import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
 import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.representations.idm.authorization.PolicyRepresentation;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
-public class AggregatePolicyProviderFactory implements PolicyProviderFactory {
+public class AggregatePolicyProviderFactory implements PolicyProviderFactory<PolicyRepresentation> {
    private AggregatePolicyProvider provider = new AggregatePolicyProvider();
@ -50,7 +55,7 @@ public class AggregatePolicyProviderFactory implements PolicyProviderFactory {
    @Override
    public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
-        return new AggregatePolicyAdminResource();
+        return null;
    }
    @Override
@ -58,6 +63,37 @@ public class AggregatePolicyProviderFactory implements PolicyProviderFactory {
        return null;
    }
    @Override
    public void onCreate(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
        verifyCircularReference(policy, new ArrayList<>());
    }
    @Override
    public void onUpdate(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
        verifyCircularReference(policy, new ArrayList<>());
    }
    private void verifyCircularReference(Policy policy, List<String> ids) {
        if (!policy.getType().equals("aggregate")) {
            return;
        }
        if (ids.contains(policy.getId())) {
            throw new RuntimeException("Circular reference found [" + policy.getName() + "].");
        }
        ids.add(policy.getId());
        for (Policy associated : policy.getAssociatedPolicies()) {
            verifyCircularReference(associated, ids);
        }
    }
    @Override
    public void onRemove(Policy policy, AuthorizationProvider authorization) {
    }
    @Override
    public void init(Config.Scope config) {
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/resource/ResourcePolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/resource/ResourcePolicyProviderFactory.java
@ -5,13 +5,10 @@ import java.util.Map;
 import org.keycloak.Config;
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.model.Policy;
 import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.authorization.policy.provider.PolicyProvider;
 import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
 import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
 import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
 /**
@ -48,46 +45,41 @@ public class ResourcePolicyProviderFactory implements PolicyProviderFactory<Reso
    }
    @Override
-    public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
+    public PolicyProvider create(KeycloakSession session) {
-        return new PolicyProviderAdminService() {
+        return null;
            @Override
            public void onCreate(Policy policy, AbstractPolicyRepresentation representation) {
                updateResourceType(policy, representation);
            }
            @Override
            public void onUpdate(Policy policy, AbstractPolicyRepresentation representation) {
                updateResourceType(policy, representation);
            }
            private void updateResourceType(Policy policy, AbstractPolicyRepresentation representation) {
                if (representation != null) {
                    //TODO: remove this check once we migrate to new API
                    if (ResourcePermissionRepresentation.class.equals(representation.getClass())) {
                        ResourcePermissionRepresentation resourcePermission = ResourcePermissionRepresentation.class.cast(representation);
                        Map<String, String> config = policy.getConfig();
                        config.compute("defaultResourceType", (key, value) -> {
                            String resourceType = resourcePermission.getResourceType();
                            return resourceType != null ? resourcePermission.getResourceType() : null;
                        });
                        policy.setConfig(config);
                    }
                }
            }
            @Override
            public void onRemove(Policy policy) {
            }
        };
    }
    @Override
-    public PolicyProvider create(KeycloakSession session) {
+    public void onCreate(Policy policy, ResourcePermissionRepresentation representation, AuthorizationProvider authorization) {
-        return null;
+        updateResourceType(policy, representation);
    }
    @Override
    public void onUpdate(Policy policy, ResourcePermissionRepresentation representation, AuthorizationProvider authorization) {
        updateResourceType(policy, representation);
    }
    private void updateResourceType(Policy policy, ResourcePermissionRepresentation representation) {
        if (representation != null) {
            //TODO: remove this check once we migrate to new API
            if (ResourcePermissionRepresentation.class.equals(representation.getClass())) {
                ResourcePermissionRepresentation resourcePermission = ResourcePermissionRepresentation.class.cast(representation);
                Map<String, String> config = policy.getConfig();
                config.compute("defaultResourceType", (key, value) -> {
                    String resourceType = resourcePermission.getResourceType();
                    return resourceType != null ? resourcePermission.getResourceType() : null;
                });
                policy.setConfig(config);
            }
        }
    }
    @Override
    public void onRemove(Policy policy, AuthorizationProvider authorization) {
    }
    @Override
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java
@ -35,18 +35,23 @@ import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleContainerModel;
 import org.keycloak.models.RoleContainerModel.RoleRemovedEvent;
 import org.keycloak.models.RoleModel;
 import org.keycloak.representations.idm.authorization.PolicyRepresentation;
 import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
 import org.keycloak.util.JsonSerialization;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
-public class RolePolicyProviderFactory implements PolicyProviderFactory {
+public class RolePolicyProviderFactory implements PolicyProviderFactory<RolePolicyRepresentation> {
    private RolePolicyProvider provider = new RolePolicyProvider();
@ -75,6 +80,107 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory {
        return new RolePolicyProvider();
    }
    @Override
    public RolePolicyRepresentation toRepresentation(Policy policy, RolePolicyRepresentation representation) {
        try {
            representation.setRoles(JsonSerialization.readValue(policy.getConfig().get("roles"), Set.class));
        } catch (IOException cause) {
            throw new RuntimeException("Failed to deserialize roles", cause);
        }
        return representation;
    }
    @Override
    public Class<RolePolicyRepresentation> getRepresentationType() {
        return RolePolicyRepresentation.class;
    }
    @Override
    public void onCreate(Policy policy, RolePolicyRepresentation representation, AuthorizationProvider authorization) {
        updateRoles(policy, representation, authorization);
    }
    @Override
    public void onUpdate(Policy policy, RolePolicyRepresentation representation, AuthorizationProvider authorization) {
        updateRoles(policy, representation, authorization);
    }
    @Override
    public void onImport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
        try {
            updateRoles(policy, authorization, new HashSet<>(Arrays.asList(JsonSerialization.readValue(representation.getConfig().get("roles"), RolePolicyRepresentation.RoleDefinition[].class))));
        } catch (IOException cause) {
            throw new RuntimeException("Failed to deserialize roles during import", cause);
        }
    }
    private void updateRoles(Policy policy, RolePolicyRepresentation representation, AuthorizationProvider authorization) {
        updateRoles(policy, authorization, representation.getRoles());
    }
    private void updateRoles(Policy policy, AuthorizationProvider authorization, Set<RolePolicyRepresentation.RoleDefinition> roles) {
        try {
            RealmModel realm = authorization.getRealm();
            Set<RolePolicyRepresentation.RoleDefinition> updatedRoles = new HashSet<>();
            if (roles != null) {
                for (RolePolicyRepresentation.RoleDefinition definition : roles) {
                    String roleName = definition.getId();
                    String clientId = null;
                    int clientIdSeparator = roleName.indexOf("/");
                    if (clientIdSeparator != -1) {
                        clientId = roleName.substring(0, clientIdSeparator);
                        roleName = roleName.substring(clientIdSeparator + 1);
                    }
                    RoleModel role;
                    if (clientId == null) {
                        role = realm.getRole(roleName);
                        if (role == null) {
                            role = realm.getRoleById(roleName);
                        }
                    } else {
                        ClientModel client = realm.getClientByClientId(clientId);
                        if (client == null) {
                            throw new RuntimeException("Client with id [" + clientId + "] not found.");
                        }
                        role = client.getRole(roleName);
                    }
                    // fallback to find any client role with the given name
                    if (role == null) {
                        String finalRoleName = roleName;
                        role = realm.getClients().stream().map(clientModel -> clientModel.getRole(finalRoleName)).filter(roleModel -> roleModel != null)
                                .findFirst().orElse(null);
                    }
                    if (role == null) {
                        throw new RuntimeException("Error while importing configuration. Role [" + roleName + "] could not be found.");
                    }
                    definition.setId(role.getId());
                    updatedRoles.add(definition);
                }
                try {
                } catch (Exception e) {
                    throw new RuntimeException("Error while updating policy [" + policy.getName() + "].", e);
                }
            }
            Map<String, String> config = policy.getConfig();
            config.put("roles", JsonSerialization.writeValueAsString(updatedRoles));
            policy.setConfig(config);
        } catch (IOException cause) {
            throw new RuntimeException("Failed to deserialize roles", cause);
        }
    }
    @Override
    public void init(Config.Scope config) {
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyAdminResource.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyAdminResource.java
@ -18,46 +18,11 @@
 package org.keycloak.authorization.policy.provider.time;
 import org.keycloak.authorization.model.Policy;
 import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
 import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
 import java.text.SimpleDateFormat;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
 public class TimePolicyAdminResource implements PolicyProviderAdminService {
    @Override
    public void onCreate(Policy policy, AbstractPolicyRepresentation representation) {
        validateConfig(policy);
    }
    private void validateConfig(Policy policy) {
        String nbf = policy.getConfig().get("nbf");
        String noa = policy.getConfig().get("noa");
        if (nbf != null && noa != null) {
            validateFormat(nbf);
            validateFormat(noa);
        }
    }
    @Override
    public void onUpdate(Policy policy, AbstractPolicyRepresentation representation) {
        validateConfig(policy);
    }
    @Override
    public void onRemove(Policy policy) {
    }
    private void validateFormat(String date) {
        try {
            new SimpleDateFormat(TimePolicyProvider.DEFAULT_DATE_PATTERN).parse(TimePolicyProvider.format(date));
        } catch (Exception e) {
            throw new RuntimeException("Could not parse a date using format [" + date + "]");
        }
    }
 }
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyProviderFactory.java
@ -1,18 +1,22 @@
 package org.keycloak.authorization.policy.provider.time;
 import java.text.SimpleDateFormat;
 import org.keycloak.Config;
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.model.Policy;
 import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.authorization.policy.provider.PolicyProvider;
 import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
 import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.representations.idm.authorization.PolicyRepresentation;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
-public class TimePolicyProviderFactory implements PolicyProviderFactory {
+public class TimePolicyProviderFactory implements PolicyProviderFactory<PolicyRepresentation> {
    private TimePolicyProvider provider = new TimePolicyProvider();
@ -41,6 +45,38 @@ public class TimePolicyProviderFactory implements PolicyProviderFactory {
        return null;
    }
    @Override
    public void onCreate(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
        validateConfig(policy);
    }
    private void validateConfig(Policy policy) {
        String nbf = policy.getConfig().get("nbf");
        String noa = policy.getConfig().get("noa");
        if (nbf != null && noa != null) {
            validateFormat(nbf);
            validateFormat(noa);
        }
    }
    @Override
    public void onUpdate(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
        validateConfig(policy);
    }
    @Override
    public void onRemove(Policy policy, AuthorizationProvider authorization) {
    }
    private void validateFormat(String date) {
        try {
            new SimpleDateFormat(TimePolicyProvider.DEFAULT_DATE_PATTERN).parse(TimePolicyProvider.format(date));
        } catch (Exception e) {
            throw new RuntimeException("Could not parse a date using format [" + date + "]");
        }
    }
    @Override
    public void init(Config.Scope config) {
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java
@ -20,14 +20,16 @@ package org.keycloak.authorization.policy.provider.user;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import org.keycloak.Config;
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.model.Policy;
 import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.authorization.policy.provider.PolicyProvider;
 import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
 import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
 import org.keycloak.authorization.store.PolicyStore;
 import org.keycloak.authorization.store.ResourceServerStore;
@ -37,12 +39,14 @@ import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserModel.UserRemovedEvent;
 import org.keycloak.representations.idm.authorization.PolicyRepresentation;
 import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
 import org.keycloak.util.JsonSerialization;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
-public class UserPolicyProviderFactory implements PolicyProviderFactory {
+public class UserPolicyProviderFactory implements PolicyProviderFactory<UserPolicyRepresentation> {
    private UserPolicyProvider provider = new UserPolicyProvider();
@ -62,13 +66,80 @@ public class UserPolicyProviderFactory implements PolicyProviderFactory {
    }
    @Override
-    public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
+    public PolicyProvider create(KeycloakSession session) {
        return null;
    }
    @Override
-    public PolicyProvider create(KeycloakSession session) {
+    public UserPolicyRepresentation toRepresentation(Policy policy, UserPolicyRepresentation representation) {
-        return null;
+        try {
            representation.setUsers(JsonSerialization.readValue(policy.getConfig().get("users"), Set.class));
        } catch (IOException cause) {
            throw new RuntimeException("Failed to deserialize roles", cause);
        }
        return representation;
    }
    @Override
    public Class<UserPolicyRepresentation> getRepresentationType() {
        return UserPolicyRepresentation.class;
    }
    @Override
    public void onCreate(Policy policy, UserPolicyRepresentation representation, AuthorizationProvider authorization) {
        updateUsers(policy, representation, authorization);
    }
    @Override
    public void onUpdate(Policy policy, UserPolicyRepresentation representation, AuthorizationProvider authorization) {
        updateUsers(policy, representation, authorization);
    }
    @Override
    public void onImport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
        try {
            updateUsers(policy, authorization, JsonSerialization.readValue(representation.getConfig().get("users"), Set.class));
        } catch (IOException cause) {
            throw new RuntimeException("Failed to deserialize users during import", cause);
        }
    }
    private void updateUsers(Policy policy, UserPolicyRepresentation representation, AuthorizationProvider authorization) {
        updateUsers(policy, authorization, representation.getUsers());
    }
    private void updateUsers(Policy policy, AuthorizationProvider authorization, Set<String> users) {
        try {
            KeycloakSession session = authorization.getKeycloakSession();
            RealmModel realm = authorization.getRealm();
            Set<String> updatedRoles = new HashSet<>();
            if (users != null) {
                for (String userId : users) {
                    UserModel user = session.users().getUserByUsername(userId, realm);
                    if (user == null) {
                        user = session.users().getUserById(userId, realm);
                    }
                    if (user == null) {
                        throw new RuntimeException("Error while importing configuration. User [" + userId + "] could not be found.");
                    }
                    updatedRoles.add(user.getId());
                }
                try {
                } catch (Exception e) {
                    throw new RuntimeException("Error while updating policy [" + policy.getName() + "].", e);
                }
            }
            Map<String, String> config = policy.getConfig();
            config.put("users", JsonSerialization.writeValueAsString(updatedRoles));
            policy.setConfig(config);
        } catch (IOException cause) {
            throw new RuntimeException("Failed to deserialize roles", cause);
        }
    }
    @Override
--- a/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyAdminResource.java
+++ b/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyAdminResource.java
@ -16,9 +16,7 @@
 */
 package org.keycloak.authorization.policy.provider.drools;
 import org.keycloak.authorization.model.Policy;
 import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
 import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
 import org.keycloak.representations.idm.authorization.PolicyRepresentation;
 import org.kie.api.runtime.KieContainer;
@ -39,21 +37,6 @@ public class DroolsPolicyAdminResource implements PolicyProviderAdminService {
        this.factory = factory;
    }
    @Override
    public void onCreate(Policy policy, AbstractPolicyRepresentation representation) {
        this.factory.update(policy);
    }
    @Override
    public void onUpdate(Policy policy, AbstractPolicyRepresentation representation) {
        this.factory.update(policy);
    }
    @Override
    public void onRemove(Policy policy) {
        this.factory.remove(policy);
    }
    @Path("/resolveModules")
    @POST
    @Consumes("application/json")
--- a/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyProviderFactory.java
+++ b/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyProviderFactory.java
@ -13,6 +13,8 @@ import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
 import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
 import org.keycloak.representations.idm.authorization.PolicyRepresentation;
 import org.kie.api.KieServices;
 import org.kie.api.KieServices.Factory;
 import org.kie.api.runtime.KieContainer;
@ -58,6 +60,26 @@ public class DroolsPolicyProviderFactory implements PolicyProviderFactory {
        return null;
    }
    @Override
    public void onCreate(Policy policy, AbstractPolicyRepresentation representation, AuthorizationProvider authorization) {
        update(policy);
    }
    @Override
    public void onUpdate(Policy policy, AbstractPolicyRepresentation representation, AuthorizationProvider authorization) {
        update(policy);
    }
    @Override
    public void onImport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
        update(policy);
    }
    @Override
    public void onRemove(Policy policy, AuthorizationProvider authorization) {
        remove(policy);
    }
    @Override
    public void init(Config.Scope config) {
        this.ks = Factory.get();
--- a/core/src/main/java/org/keycloak/representations/idm/authorization/RolePolicyRepresentation.java
+++ b/core/src/main/java/org/keycloak/representations/idm/authorization/RolePolicyRepresentation.java
@ -0,0 +1,74 @@
 /*
 * Copyright 2016 Red Hat, Inc. and/or its affiliates
 * and other contributors as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.keycloak.representations.idm.authorization;
 import java.util.HashSet;
 import java.util.Set;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
 public class RolePolicyRepresentation extends AbstractPolicyRepresentation {
    private Set<RoleDefinition> roles;
    public Set<RoleDefinition> getRoles() {
        return roles;
    }
    public void setRoles(Set<RoleDefinition> roles) {
        this.roles = roles;
    }
    public void addRole(String name, boolean required) {
        if (roles == null) {
            roles = new HashSet<>();
        }
        roles.add(new RoleDefinition(name, required));
    }
    public static class RoleDefinition {
        private String id;
        private boolean required;
        public RoleDefinition() {
            this(null, false);
        }
        public RoleDefinition(String id, boolean required) {
            this.id = id;
            this.required = required;
        }
        public String getId() {
            return id;
        }
        public void setId(String id) {
            this.id = id;
        }
        public boolean isRequired() {
            return required;
        }
        public void setRequired(boolean required) {
            this.required = required;
        }
    }
 }
--- a/core/src/main/java/org/keycloak/representations/idm/authorization/UserPolicyRepresentation.java
+++ b/core/src/main/java/org/keycloak/representations/idm/authorization/UserPolicyRepresentation.java
@ -0,0 +1,43 @@
 /*
 * Copyright 2016 Red Hat, Inc. and/or its affiliates
 * and other contributors as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.keycloak.representations.idm.authorization;
 import java.util.HashSet;
 import java.util.Set;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
 public class UserPolicyRepresentation extends AbstractPolicyRepresentation {
    private Set<String> users;
    public Set<String> getUsers() {
        return users;
    }
    public void setUsers(Set<String> users) {
        this.users= users;
    }
    public void addUser(String name) {
        if (users == null) {
            users = new HashSet<>();
        }
        users.add(name);
    }
 }
--- a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PoliciesResource.java
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PoliciesResource.java
@ -69,4 +69,9 @@ public interface PoliciesResource {
    @Path("evaluate")
    PolicyEvaluationResponse evaluate(PolicyEvaluationRequest evaluationRequest);
    @Path("role")
    RolePoliciesResource roles();
    @Path("user")
    UserPoliciesResource users();
 }
--- a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePoliciesResource.java
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePoliciesResource.java
@ -0,0 +1,42 @@
 /*
 * Copyright 2016 Red Hat, Inc. and/or its affiliates
 * and other contributors as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.keycloak.admin.client.resource;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
 public interface RolePoliciesResource {
    @POST
    @Consumes(MediaType.APPLICATION_JSON)
    @Produces(MediaType.APPLICATION_JSON)
    Response create(RolePolicyRepresentation representation);
    @Path("{id}")
    RolePolicyResource findById(@PathParam("id") String id);
 }
--- a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePolicyResource.java
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePolicyResource.java
@ -0,0 +1,69 @@
 /*
 * Copyright 2016 Red Hat, Inc. and/or its affiliates
 * and other contributors as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.keycloak.admin.client.resource;
 import java.util.List;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.GET;
 import javax.ws.rs.PUT;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
 import org.jboss.resteasy.annotations.cache.NoCache;
 import org.keycloak.representations.idm.authorization.PolicyRepresentation;
 import org.keycloak.representations.idm.authorization.ResourceRepresentation;
 import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
 public interface RolePolicyResource {
    @GET
    @Produces(MediaType.APPLICATION_JSON)
    @NoCache
    RolePolicyRepresentation toRepresentation();
    @PUT
    @Consumes(MediaType.APPLICATION_JSON)
    void update(RolePolicyRepresentation representation);
    @DELETE
    void remove();
    @Path("/associatedPolicies")
    @GET
    @Produces(MediaType.APPLICATION_JSON)
    @NoCache
    List<PolicyRepresentation> associatedPolicies();
    @Path("/dependentPolicies")
    @GET
    @Produces(MediaType.APPLICATION_JSON)
    @NoCache
    List<PolicyRepresentation> dependentPolicies();
    @Path("/resources")
    @GET
    @Produces("application/json")
    @NoCache
    List<ResourceRepresentation> resources();
 }
--- a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPoliciesResource.java
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPoliciesResource.java
@ -0,0 +1,42 @@
 /*
 * Copyright 2016 Red Hat, Inc. and/or its affiliates
 * and other contributors as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.keycloak.admin.client.resource;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
 public interface UserPoliciesResource {
    @POST
    @Consumes(MediaType.APPLICATION_JSON)
    @Produces(MediaType.APPLICATION_JSON)
    Response create(UserPolicyRepresentation representation);
    @Path("{id}")
    UserPolicyResource findById(@PathParam("id") String id);
 }
--- a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPolicyResource.java
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPolicyResource.java
@ -0,0 +1,69 @@
 /*
 * Copyright 2016 Red Hat, Inc. and/or its affiliates
 * and other contributors as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.keycloak.admin.client.resource;
 import java.util.List;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.GET;
 import javax.ws.rs.PUT;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
 import org.jboss.resteasy.annotations.cache.NoCache;
 import org.keycloak.representations.idm.authorization.PolicyRepresentation;
 import org.keycloak.representations.idm.authorization.ResourceRepresentation;
 import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
 public interface UserPolicyResource {
    @GET
    @Produces(MediaType.APPLICATION_JSON)
    @NoCache
    UserPolicyRepresentation toRepresentation();
    @PUT
    @Consumes(MediaType.APPLICATION_JSON)
    void update(UserPolicyRepresentation representation);
    @DELETE
    void remove();
    @Path("/associatedPolicies")
    @GET
    @Produces(MediaType.APPLICATION_JSON)
    @NoCache
    List<PolicyRepresentation> associatedPolicies();
    @Path("/dependentPolicies")
    @GET
    @Produces(MediaType.APPLICATION_JSON)
    @NoCache
    List<PolicyRepresentation> dependentPolicies();
    @Path("/resources")
    @GET
    @Produces("application/json")
    @NoCache
    List<ResourceRepresentation> resources();
 }
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java
@ -54,15 +54,14 @@ public class CachedPolicyStore implements PolicyStore {
    private static final String POLICY_ID_CACHE_PREFIX = "policy-id-";
    private final Cache<String, Map<String, List<CachedPolicy>>> cache;
-    private final KeycloakSession session;
+    private final CachedStoreFactoryProvider cacheStoreFactory;
    private final CacheTransaction transaction;
    private final List<String> cacheKeys;
-    private StoreFactory storeFactory;
+    private final StoreFactory storeFactory;
    private PolicyStore delegate;
    private CachedStoreFactoryProvider cachedStoreFactory;
-    public CachedPolicyStore(KeycloakSession session, CacheTransaction transaction, StoreFactory storeFactory) {
+    public CachedPolicyStore(KeycloakSession session, CachedStoreFactoryProvider cacheStoreFactory, CacheTransaction transaction, StoreFactory delegate) {
-        this.session = session;
+        this.cacheStoreFactory = cacheStoreFactory;
        this.transaction = transaction;
        InfinispanConnectionProvider provider = session.getProvider(InfinispanConnectionProvider.class);
        this.cache = provider.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME);
@ -71,7 +70,7 @@ public class CachedPolicyStore implements PolicyStore {
        cacheKeys.add("findByResourceType");
        cacheKeys.add("findByScopeIds");
        cacheKeys.add("findByType");
-        this.storeFactory = storeFactory;
+        this.storeFactory = delegate;
    }
    @Override
@ -405,10 +404,7 @@ public class CachedPolicyStore implements PolicyStore {
    }
    private CachedStoreFactoryProvider getCachedStoreFactory() {
-        if (cachedStoreFactory == null) {
+        return cacheStoreFactory;
            cachedStoreFactory = session.getProvider(CachedStoreFactoryProvider.class);
        }
        return cachedStoreFactory;
    }
    private void invalidateCache(String resourceServerId) {
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceServerStore.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceServerStore.java
@ -41,18 +41,16 @@ public class CachedResourceServerStore implements ResourceServerStore {
    private static final String RS_ID_CACHE_PREFIX = "rs-id-";
    private static final String RS_CLIENT_ID_CACHE_PREFIX = "rs-client-id-";
    private final KeycloakSession session;
    private final CacheTransaction transaction;
    private StoreFactory storeFactory;
    private ResourceServerStore delegate;
    private final Cache<String, Map<String, List<CachedResourceServer>>> cache;
-    public CachedResourceServerStore(KeycloakSession session, CacheTransaction transaction, StoreFactory storeFactory) {
+    public CachedResourceServerStore(KeycloakSession session, CacheTransaction transaction, StoreFactory delegate) {
        this.session = session;
        this.transaction = transaction;
        InfinispanConnectionProvider provider = session.getProvider(InfinispanConnectionProvider.class);
        this.cache = provider.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME);
-        this.storeFactory = storeFactory;
+        this.storeFactory = delegate;
    }
    @Override
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceStore.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceStore.java
@ -50,14 +50,16 @@ public class CachedResourceStore implements ResourceStore {
    private static final String RESOURCE_NAME_CACHE_PREFIX = "rsc-name-";
    private final KeycloakSession session;
    private final CachedStoreFactoryProvider cacheStoreFactory;
    private final CacheTransaction transaction;
    private final List<String> cacheKeys;
    private StoreFactory storeFactory;
    private ResourceStore delegate;
    private final Cache<String, Map<String, List<CachedResource>>> cache;
-    public CachedResourceStore(KeycloakSession session, CacheTransaction transaction, StoreFactory storeFactory) {
+    public CachedResourceStore(KeycloakSession session, CachedStoreFactoryProvider cacheStoreFactory, CacheTransaction transaction, StoreFactory delegate) {
        this.session = session;
        this.cacheStoreFactory = cacheStoreFactory;
        InfinispanConnectionProvider provider = session.getProvider(InfinispanConnectionProvider.class);
        this.cache = provider.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME);
        this.transaction = transaction;
@ -65,7 +67,7 @@ public class CachedResourceStore implements ResourceStore {
        cacheKeys.add("findByOwner");
        cacheKeys.add("findByUri");
        cacheKeys.add("findByName");
-        this.storeFactory = storeFactory;
+        this.storeFactory = delegate;
    }
    @Override
@ -293,7 +295,7 @@ public class CachedResourceStore implements ResourceStore {
    }
    private CachedStoreFactoryProvider getCachedStoreFactory() {
-        return session.getProvider(CachedStoreFactoryProvider.class);
+        return cacheStoreFactory;
    }
    private List<Resource> cacheResult(String resourceServerId, String key, Supplier<List<Resource>> provider) {
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedScopeStore.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedScopeStore.java
@ -44,17 +44,17 @@ public class CachedScopeStore implements ScopeStore {
    private static final String SCOPE_NAME_CACHE_PREFIX = "scp-name-";
    private final Cache<String, Map<String, List<CachedScope>>> cache;
-    private final KeycloakSession session;
+    private final CachedStoreFactoryProvider cacheStoreFactory;
    private final CacheTransaction transaction;
    private ScopeStore delegate;
    private StoreFactory storeFactory;
-    public CachedScopeStore(KeycloakSession session, CacheTransaction transaction, StoreFactory storeFactory) {
+    public CachedScopeStore(KeycloakSession session, CachedStoreFactoryProvider cacheStoreFactory, CacheTransaction transaction, StoreFactory delegate) {
-        this.session = session;
+        this.cacheStoreFactory = cacheStoreFactory;
        this.transaction = transaction;
        InfinispanConnectionProvider provider = session.getProvider(InfinispanConnectionProvider.class);
        this.cache = provider.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME);
-        this.storeFactory = storeFactory;
+        this.storeFactory = delegate;
    }
    @Override
@ -220,7 +220,7 @@ public class CachedScopeStore implements ScopeStore {
    }
    private CachedStoreFactoryProvider getCachedStoreFactory() {
-        return session.getProvider(CachedStoreFactoryProvider.class);
+        return cacheStoreFactory;
    }
    private void invalidateCache(String resourceServerId) {
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreFactoryProvider.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreFactoryProvider.java
@ -18,6 +18,11 @@
 package org.keycloak.models.authorization.infinispan;
 import java.util.ArrayList;
 import java.util.List;
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.store.AuthorizationStoreFactory;
 import org.keycloak.authorization.store.PolicyStore;
 import org.keycloak.authorization.store.ResourceServerStore;
 import org.keycloak.authorization.store.ResourceStore;
@ -27,9 +32,6 @@ import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.KeycloakTransaction;
 import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
 import java.util.ArrayList;
 import java.util.List;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
@ -37,21 +39,22 @@ public class InfinispanStoreFactoryProvider implements CachedStoreFactoryProvide
    private final KeycloakSession session;
    private final CacheTransaction transaction;
-    private final StoreFactory storeFactory;
+    private final StoreFactory delegate;
    private final CachedResourceStore resourceStore;
    private final CachedScopeStore scopeStore;
    private final CachedPolicyStore policyStore;
    private ResourceServerStore resourceServerStore;
-    InfinispanStoreFactoryProvider(KeycloakSession delegate) {
+    public InfinispanStoreFactoryProvider(AuthorizationProvider authorizationProvider) {
-        this.session = delegate;
+        this.session = authorizationProvider.getKeycloakSession();
        this.transaction = new CacheTransaction();
        this.session.getTransactionManager().enlistAfterCompletion(transaction);
-        storeFactory = this.session.getProvider(StoreFactory.class);
+        AuthorizationStoreFactory providerFactory = (AuthorizationStoreFactory) this.session.getKeycloakSessionFactory().getProviderFactory(StoreFactory.class);
-        resourceStore = new CachedResourceStore(this.session, this.transaction, storeFactory);
+        delegate = providerFactory.create(authorizationProvider);
-        resourceServerStore = new CachedResourceServerStore(this.session, this.transaction, storeFactory);
+        resourceStore = new CachedResourceStore(this.session, this, this.transaction, delegate);
-        scopeStore = new CachedScopeStore(this.session, this.transaction, storeFactory);
+        resourceServerStore = new CachedResourceServerStore(this.session, this.transaction, delegate);
-        policyStore = new CachedPolicyStore(this.session, this.transaction, storeFactory);
+        scopeStore = new CachedScopeStore(this.session, this, this.transaction, delegate);
        policyStore = new CachedPolicyStore(this.session, this, this.transaction, delegate);
    }
    @Override
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreProviderFactory.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreProviderFactory.java
@ -19,6 +19,8 @@
 package org.keycloak.models.authorization.infinispan;
 import org.keycloak.Config;
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.store.StoreFactory;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
@ -31,7 +33,7 @@ import org.keycloak.provider.EnvironmentDependentProviderFactory;
 public class InfinispanStoreProviderFactory implements CachedStoreProviderFactory, EnvironmentDependentProviderFactory {
    @Override
    public CachedStoreFactoryProvider create(KeycloakSession session) {
-        return new InfinispanStoreFactoryProvider(session);
+        return null;
    }
    @Override
@ -58,4 +60,9 @@ public class InfinispanStoreProviderFactory implements CachedStoreProviderFactor
    public boolean isSupported() {
        return true;
    }
    @Override
    public StoreFactory create(AuthorizationProvider authorizationProvider) {
        return new InfinispanStoreFactoryProvider(authorizationProvider);
    }
 }
--- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAAuthorizationStoreFactory.java
+++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAAuthorizationStoreFactory.java
@ -18,21 +18,22 @@
 package org.keycloak.authorization.jpa.store;
 import javax.persistence.EntityManager;
 import org.keycloak.Config;
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.store.AuthorizationStoreFactory;
 import org.keycloak.authorization.store.StoreFactory;
 import org.keycloak.connections.jpa.JpaConnectionProvider;
 import org.keycloak.models.KeycloakSession;
 import javax.persistence.EntityManager;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
 public class JPAAuthorizationStoreFactory implements AuthorizationStoreFactory {
    @Override
    public StoreFactory  create(KeycloakSession session) {
-        return new JPAStoreFactory(getEntityManager(session));
+        return null;
    }
    @Override
@ -53,4 +54,9 @@ public class JPAAuthorizationStoreFactory implements AuthorizationStoreFactory {
    private EntityManager getEntityManager(KeycloakSession session) {
        return session.getProvider(JpaConnectionProvider.class).getEntityManager();
    }
    @Override
    public StoreFactory create(AuthorizationProvider authorizationProvider) {
        return new JPAStoreFactory(getEntityManager(authorizationProvider.getKeycloakSession()), authorizationProvider);
    }
 }
--- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java
+++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java
@ -17,15 +17,18 @@
 */
 package org.keycloak.authorization.jpa.store;
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.jpa.entities.PolicyEntity;
 import org.keycloak.authorization.jpa.entities.ResourceServerEntity;
 import org.keycloak.authorization.model.Policy;
 import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
 import org.keycloak.authorization.store.PolicyStore;
 import org.keycloak.authorization.store.StoreFactory;
 import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.models.utils.RepresentationToModel;
 import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
 import org.keycloak.representations.idm.authorization.PolicyRepresentation;
 import javax.persistence.EntityManager;
 import javax.persistence.NoResultException;
@ -46,10 +49,12 @@ public class JPAPolicyStore implements PolicyStore {
    private final EntityManager entityManager;
    private final StoreFactory storeFactory;
    private final AuthorizationProvider authorization;
-    public JPAPolicyStore(EntityManager entityManager, StoreFactory storeFactory) {
+    public JPAPolicyStore(EntityManager entityManager, JPAStoreFactory jpaStoreFactory, AuthorizationProvider authorization) {
        this.entityManager = entityManager;
-        this.storeFactory = storeFactory;
+        this.storeFactory = jpaStoreFactory;
        this.authorization = authorization;
    }
    @Override
@ -59,10 +64,20 @@ public class JPAPolicyStore implements PolicyStore {
        entity.setId(KeycloakModelUtils.generateId());
        entity.setResourceServer((ResourceServerEntity) resourceServer);
        entity.setType(representation.getType());
        entity.setName(representation.getName());
        this.entityManager.persist(entity);
        entity = (PolicyEntity) RepresentationToModel.toModel(representation, storeFactory, entity);
-        this.entityManager.persist(entity);
+        PolicyProviderFactory provider = authorization.getProviderFactory(entity.getType());
        if (representation instanceof PolicyRepresentation) {
            provider.onImport(entity, PolicyRepresentation.class.cast(representation), authorization);
        } else {
            provider.onCreate(entity, representation, authorization);
        }
        return entity;
    }
--- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAStoreFactory.java
+++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAStoreFactory.java
@ -18,6 +18,7 @@
 package org.keycloak.authorization.jpa.store;
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.store.PolicyStore;
 import org.keycloak.authorization.store.ResourceServerStore;
 import org.keycloak.authorization.store.ResourceStore;
@ -32,14 +33,16 @@ import javax.persistence.EntityManager;
 public class JPAStoreFactory implements StoreFactory {
    private final EntityManager entityManager;
    private final AuthorizationProvider authorization;
-    public JPAStoreFactory(EntityManager entityManager) {
+    public JPAStoreFactory(EntityManager entityManager, AuthorizationProvider authorizationProvider) {
        this.entityManager = entityManager;
        this.authorization = authorizationProvider;
    }
    @Override
    public PolicyStore getPolicyStore() {
-        return new JPAPolicyStore(this.entityManager, this);
+        return new JPAPolicyStore(entityManager, this, authorization);
    }
    @Override
--- a/server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java
@ -21,8 +21,6 @@ package org.keycloak.authorization;
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.Executor;
 import java.util.function.Supplier;
 import org.keycloak.authorization.permission.evaluator.Evaluators;
 import org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator;
@ -31,6 +29,8 @@ import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
 import org.keycloak.authorization.store.StoreFactory;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
 import org.keycloak.models.cache.authorization.CachedStoreProviderFactory;
 import org.keycloak.provider.Provider;
 /**
@ -62,25 +62,20 @@ import org.keycloak.provider.Provider;
 public final class AuthorizationProvider implements Provider {
    private final DefaultPolicyEvaluator policyEvaluator;
-    private final Executor scheduller;
+    private StoreFactory storeFactory;
    private final Supplier<StoreFactory> storeFactory;
    private final Map<String, PolicyProviderFactory> policyProviderFactories;
    private final KeycloakSession keycloakSession;
    private final RealmModel realm;
-    public AuthorizationProvider(KeycloakSession session, RealmModel realm, Supplier<StoreFactory> storeFactory, Map<String, PolicyProviderFactory> policyProviderFactories, Executor scheduller) {
+    public AuthorizationProvider(KeycloakSession session, RealmModel realm, Map<String, PolicyProviderFactory> policyProviderFactories) {
        this.keycloakSession = session;
        this.realm = realm;
-        this.storeFactory = storeFactory;
+        CachedStoreProviderFactory providerFactory = (CachedStoreProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(CachedStoreFactoryProvider.class);
-        this.scheduller = scheduller;
+        storeFactory = providerFactory.create(this);
        this.policyProviderFactories = policyProviderFactories;
        this.policyEvaluator = new DefaultPolicyEvaluator(this);
    }
    public AuthorizationProvider(KeycloakSession session, RealmModel realm, StoreFactory storeFactory, Map<String, PolicyProviderFactory> policyProviderFactories) {
        this(session, realm, () -> storeFactory, policyProviderFactories, Runnable::run);
    }
    /**
     * Returns a {@link Evaluators} instance from where {@link org.keycloak.authorization.policy.evaluation.PolicyEvaluator} instances
     * can be obtained.
@ -88,7 +83,7 @@ public final class AuthorizationProvider implements Provider {
     * @return a {@link Evaluators} instance
     */
    public Evaluators evaluators() {
-        return new Evaluators(this.policyEvaluator, this.scheduller);
+        return new Evaluators(policyEvaluator);
    }
    /**
@ -97,7 +92,7 @@ public final class AuthorizationProvider implements Provider {
     * @return the {@link StoreFactory}
     */
    public StoreFactory getStoreFactory() {
-        return this.storeFactory.get();
+        return this.storeFactory;
    }
    /**
--- a/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/ScheduledPermissionEvaluator.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/ScheduledPermissionEvaluator.java
@ -17,22 +17,18 @@
 */
 package org.keycloak.authorization.permission.evaluator;
 import java.util.concurrent.Executor;
 import org.keycloak.authorization.Decision;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 * @see PermissionEvaluator
 */
-class ScheduledPermissionEvaluator implements PermissionEvaluator {
+class DefaultPermissionEvaluator implements PermissionEvaluator {
    private final PermissionEvaluator publisher;
    private final Executor scheduler;
-    ScheduledPermissionEvaluator(PermissionEvaluator publisher, Executor scheduler) {
+    DefaultPermissionEvaluator(PermissionEvaluator publisher) {
        this.publisher = publisher;
        this.scheduler = scheduler;
    }
    @Override
--- a/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/Evaluators.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/Evaluators.java
@ -19,7 +19,6 @@
 package org.keycloak.authorization.permission.evaluator;
 import java.util.List;
 import java.util.concurrent.Executor;
 import org.keycloak.authorization.permission.ResourcePermission;
 import org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator;
@ -33,11 +32,9 @@ import org.keycloak.authorization.policy.evaluation.EvaluationContext;
 public final class Evaluators {
    private final DefaultPolicyEvaluator policyEvaluator;
    private final Executor scheduler;
-    public Evaluators(DefaultPolicyEvaluator policyEvaluator, Executor scheduler) {
+    public Evaluators(DefaultPolicyEvaluator policyEvaluator) {
        this.policyEvaluator = policyEvaluator;
        this.scheduler = scheduler;
    }
    public PermissionEvaluator from(List<ResourcePermission> permissions, EvaluationContext evaluationContext) {
@ -45,6 +42,6 @@ public final class Evaluators {
    }
    public PermissionEvaluator schedule(List<ResourcePermission> permissions, EvaluationContext evaluationContext) {
-        return new ScheduledPermissionEvaluator(new IterablePermissionEvaluator(permissions.iterator(), evaluationContext, this.policyEvaluator), this.scheduler);
+        return new DefaultPermissionEvaluator(new IterablePermissionEvaluator(permissions.iterator(), evaluationContext, this.policyEvaluator));
    }
 }
--- a/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderAdminService.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderAdminService.java
@ -18,7 +18,6 @@
 package org.keycloak.authorization.policy.provider;
 import org.keycloak.authorization.model.Policy;
 import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
 /**
@ -26,15 +25,4 @@ import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentati
 */
 public interface PolicyProviderAdminService<R extends AbstractPolicyRepresentation> {
    default void onCreate(Policy policy, R representation) {
    }
    default void onUpdate(Policy policy, R representation) {
    }
    default void onRemove(Policy policy) {
    }
 }
--- a/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderFactory.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderFactory.java
@ -44,6 +44,22 @@ public interface PolicyProviderFactory<R extends AbstractPolicyRepresentation> e
        return (Class<R>) PolicyRepresentation.class;
    }
    default void onCreate(Policy policy, R representation, AuthorizationProvider authorization) {
    }
    default void onUpdate(Policy policy, R representation, AuthorizationProvider authorization) {
    }
    default void onRemove(Policy policy, AuthorizationProvider authorization) {
    }
    default void onImport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
    }
    default PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
        return null;
    }
--- a/server-spi-private/src/main/java/org/keycloak/authorization/store/AuthorizationStoreFactory.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/AuthorizationStoreFactory.java
@ -18,6 +18,7 @@
 package org.keycloak.authorization.store;
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.store.syncronization.ClientApplicationSynchronizer;
 import org.keycloak.authorization.store.syncronization.RealmSynchronizer;
 import org.keycloak.authorization.store.syncronization.Synchronizer;
@ -61,4 +62,6 @@ public interface AuthorizationStoreFactory extends ProviderFactory<StoreFactory>
            }
        });
    }
    StoreFactory create(AuthorizationProvider authorizationProvider);
 }
--- a/server-spi-private/src/main/java/org/keycloak/models/cache/authorization/CachedStoreProviderFactory.java
+++ b/server-spi-private/src/main/java/org/keycloak/models/cache/authorization/CachedStoreProviderFactory.java
@ -18,10 +18,13 @@
 package org.keycloak.models.cache.authorization;
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.store.StoreFactory;
 import org.keycloak.provider.ProviderFactory;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
 public interface CachedStoreProviderFactory extends ProviderFactory<CachedStoreFactoryProvider> {
    StoreFactory create(AuthorizationProvider authorizationProvider);
 }
--- a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
+++ b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
@ -36,6 +36,7 @@ import org.keycloak.authorization.model.Policy;
 import org.keycloak.authorization.model.Resource;
 import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.authorization.model.Scope;
 import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
 import org.keycloak.authorization.store.PolicyStore;
 import org.keycloak.authorization.store.ResourceServerStore;
 import org.keycloak.authorization.store.ResourceStore;
@ -1941,81 +1942,6 @@ public class RepresentationToModel {
            Map<String, String> config = policyRepresentation.getConfig();
            String roles = config.get("roles");
            if (roles != null && !roles.isEmpty()) {
                try {
                    List<Map> rolesMap = (List<Map>) JsonSerialization.readValue(roles, List.class);
                    config.put("roles", JsonSerialization.writeValueAsString(rolesMap.stream().map(roleConfig -> {
                        String roleName = roleConfig.get("id").toString();
                        String clientId = null;
                        int clientIdSeparator = roleName.indexOf("/");
                        if (clientIdSeparator != -1) {
                            clientId = roleName.substring(0, clientIdSeparator);
                            roleName = roleName.substring(clientIdSeparator + 1);
                        }
                        RoleModel role;
                        if (clientId == null) {
                            role = realm.getRole(roleName);
                        } else {
                            role = realm.getClientByClientId(clientId).getRole(roleName);
                        }
                        // fallback to find any client role with the given name
                        if (role == null) {
                            String finalRoleName = roleName;
                            role = realm.getClients().stream().map(clientModel -> clientModel.getRole(finalRoleName)).filter(roleModel -> roleModel != null)
                                    .findFirst().orElse(null);
                        }
                        if (role == null) {
                            role = realm.getRoleById(roleName);
                            if (role == null) {
                                String finalRoleName1 = roleName;
                                role = realm.getClients().stream().map(clientModel -> clientModel.getRole(finalRoleName1)).filter(roleModel -> roleModel != null)
                                        .findFirst().orElse(null);
                            }
                        }
                        if (role == null) {
                            throw new RuntimeException("Error while importing configuration. Role [" + roleName + "] could not be found.");
                        }
                        roleConfig.put("id", role.getId());
                        return roleConfig;
                    }).collect(Collectors.toList())));
                } catch (Exception e) {
                    throw new RuntimeException("Error while exporting policy [" + policyRepresentation.getName() + "].", e);
                }
            }
            String users = config.get("users");
            if (users != null && !users.isEmpty()) {
                try {
                    List<String> usersMap = (List<String>) JsonSerialization.readValue(users, List.class);
                    config.put("users", JsonSerialization.writeValueAsString(usersMap.stream().map(userId -> {
                        UserModel user = session.users().getUserByUsername(userId, realm);
                        if (user == null) {
                            user = session.users().getUserById(userId, realm);
                        }
                        if (user == null) {
                            throw new RuntimeException("Error while importing configuration. User [" + userId + "] could not be found.");
                        }
                        return user.getId();
                    }).collect(Collectors.toList())));
                } catch (Exception e) {
                    throw new RuntimeException("Error while exporting policy [" + policyRepresentation.getName() + "].", e);
                }
            }
            String scopes = config.get("scopes");
            if (scopes != null && !scopes.isEmpty()) {
@ -2098,12 +2024,16 @@ public class RepresentationToModel {
                policy = policyStore.findByName(policyRepresentation.getName(), resourceServer.getId());
            }
            PolicyProviderFactory providerFactory = authorization.getProviderFactory(policyRepresentation.getType());
            if (policy == null) {
                policy = policyStore.create(policyRepresentation, resourceServer);
            } else {
                toModel(policyRepresentation, storeFactory, policy);
            }
            providerFactory.onImport(policy, policyRepresentation, authorization);
            if (parentPolicyName != null && parentPolicyName.equals(policyRepresentation.getName())) {
                return policy;
            }
--- a/services/src/main/java/org/keycloak/authorization/DefaultAuthorizationProviderFactory.java
+++ b/services/src/main/java/org/keycloak/authorization/DefaultAuthorizationProviderFactory.java
@ -26,11 +26,9 @@ import java.util.concurrent.Executor;
 import org.keycloak.Config;
 import org.keycloak.authorization.policy.provider.PolicyProvider;
 import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
 import org.keycloak.authorization.store.StoreFactory;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
 import org.keycloak.provider.ProviderFactory;
 /**
@ -76,13 +74,7 @@ public class DefaultAuthorizationProviderFactory implements AuthorizationProvide
    @Override
    public AuthorizationProvider create(KeycloakSession session, RealmModel realm) {
-        StoreFactory storeFactory = session.getProvider(CachedStoreFactoryProvider.class);
+        return new AuthorizationProvider(session, realm, policyProviderFactories);
        if (storeFactory == null) {
            storeFactory = session.getProvider(StoreFactory.class);
        }
        return new AuthorizationProvider(session, realm, storeFactory, policyProviderFactories);
    }
    private Map<String, PolicyProviderFactory> configurePolicyProviderFactories(KeycloakSessionFactory keycloakSessionFactory) {
--- a/services/src/main/java/org/keycloak/authorization/admin/PolicyResourceService.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyResourceService.java
@ -34,6 +34,7 @@ import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.model.Policy;
 import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
 import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
 import org.keycloak.authorization.store.PolicyStore;
 import org.keycloak.authorization.store.StoreFactory;
 import org.keycloak.models.utils.ModelToRepresentation;
@ -79,14 +80,12 @@ public class PolicyResourceService {
        Policy updated = RepresentationToModel.toModel(representation, authorization.getStoreFactory(), policy);
-        PolicyProviderAdminService resource = getPolicyProviderAdminResource(updated.getType());
+        PolicyProviderFactory resource = getProviderFactory(updated.getType());
-        if (resource != null) {
+        if (representation instanceof PolicyRepresentation) {
-            try {
+            resource.onImport(updated, PolicyRepresentation.class.cast(representation), authorization);
-                resource.onUpdate(updated, representation);
+        } else {
-            } catch (Exception e) {
+            resource.onUpdate(updated, representation, authorization);
                throw new RuntimeException(e);
            }
        }
        return Response.status(Status.CREATED).build();
@ -102,15 +101,9 @@ public class PolicyResourceService {
        StoreFactory storeFactory = authorization.getStoreFactory();
        PolicyStore policyStore = storeFactory.getPolicyStore();
-        PolicyProviderAdminService resource = getPolicyProviderAdminResource(policy.getType());
+        PolicyProviderFactory resource = getProviderFactory(policy.getType());
-        if (resource != null) {
+        resource.onRemove(policy, authorization);
            try {
                resource.onRemove(policy);
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
        policyStore.findDependentPolicies(policy.getId(), resourceServer.getId()).forEach(dependentPolicy -> {
            if (dependentPolicy.getAssociatedPolicies().size() == 1) {
@ -242,8 +235,8 @@ public class PolicyResourceService {
        return representation;
    }
-    protected PolicyProviderAdminService getPolicyProviderAdminResource(String policyType) {
+    private PolicyProviderFactory getProviderFactory(String policyType) {
-        return authorization.getProviderFactory(policyType).getAdminResource(resourceServer, authorization);
+        return authorization.getProviderFactory(policyType);
    }
    protected Policy getPolicy() {
--- a/services/src/main/java/org/keycloak/authorization/admin/PolicyService.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyService.java
@ -96,16 +96,6 @@ public class PolicyService {
        AbstractPolicyRepresentation representation = doCreateRepresentation(payload);
        Policy policy = create(representation);
        PolicyProviderAdminService provider = getPolicyProviderAdminResource(representation.getType());
        if (provider != null) {
            try {
                provider.onCreate(policy, representation);
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
        representation.setId(policy.getId());
@ -133,14 +123,12 @@ public class PolicyService {
        }
        Policy policy = policyStore.create(representation, resourceServer);
-        PolicyProviderAdminService resource = getPolicyProviderAdminResource(policy.getType());
+        PolicyProviderFactory provider = getPolicyProviderFactory(policy.getType());
-        if (resource != null) {
+        if (representation instanceof PolicyRepresentation) {
-            try {
+            provider.onImport(policy, PolicyRepresentation.class.cast(representation), authorization);
-                resource.onCreate(policy, null);
+        } else {
-            } catch (Exception e) {
+            provider.onCreate(policy, representation, authorization);
                throw new RuntimeException(e);
            }
        }
        return policy;
--- a/services/src/main/java/org/keycloak/authorization/admin/ResourceServerService.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/ResourceServerService.java
@ -50,6 +50,7 @@ import org.keycloak.models.utils.RepresentationToModel;
 import org.keycloak.representations.idm.authorization.DecisionStrategy;
 import org.keycloak.representations.idm.authorization.Logic;
 import org.keycloak.representations.idm.authorization.PolicyRepresentation;
 import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
 import org.keycloak.representations.idm.authorization.ResourceRepresentation;
 import org.keycloak.representations.idm.authorization.ResourceServerRepresentation;
 import org.keycloak.services.resources.admin.RealmAuth;
@ -183,21 +184,15 @@ public class ResourceServerService {
    }
    private void createDefaultPermission(ResourceRepresentation resource, PolicyRepresentation policy) {
-        PolicyRepresentation defaultPermission = new PolicyRepresentation();
+        ResourcePermissionRepresentation defaultPermission = new ResourcePermissionRepresentation();
        defaultPermission.setName("Default Permission");
        defaultPermission.setType("resource");
        defaultPermission.setDescription("A permission that applies to the default resource type");
        defaultPermission.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
        defaultPermission.setLogic(Logic.POSITIVE);
-        HashMap<String, String> defaultPermissionConfig = new HashMap<>();
+        defaultPermission.setResourceType(resource.getType());
-
+        defaultPermission.addPolicy(policy.getName());
        defaultPermissionConfig.put("default", "true");
        defaultPermissionConfig.put("defaultResourceType", resource.getType());
        defaultPermissionConfig.put("applyPolicies", "[\"" + policy.getName() + "\"]");
        defaultPermission.setConfig(defaultPermissionConfig);
        getPolicyResource().create(defaultPermission);
    }
--- a/services/src/main/java/org/keycloak/authorization/common/KeycloakIdentity.java
+++ b/services/src/main/java/org/keycloak/authorization/common/KeycloakIdentity.java
@ -139,12 +139,19 @@ public class KeycloakIdentity implements Identity {
        if (this.accessToken.getClientSession() != null) {
            ClientSessionModel clientSession = this.keycloakSession.sessions().getClientSession(this.accessToken.getClientSession());
-            clientUser = this.keycloakSession.users().getServiceAccount(clientSession.getClient());
+
-        } else if (this.accessToken.getIssuedFor() != null) {
+            if (clientSession != null) {
-            ClientModel clientModel = this.keycloakSession.realms().getClientById(this.accessToken.getIssuedFor(), this.realm);
+                clientUser = this.keycloakSession.users().getServiceAccount(clientSession.getClient());
-            clientUser = this.keycloakSession.users().getServiceAccount(clientModel);
+            }
        }
        if (this.accessToken.getIssuedFor() != null) {
            ClientModel clientModel = this.keycloakSession.realms().getClientById(this.accessToken.getIssuedFor(), this.realm);
            if (clientModel != null) {
                clientUser = this.keycloakSession.users().getServiceAccount(clientModel);
            }
        }
        if (clientUser == null) {
            return false;
--- a/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java
+++ b/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java
@ -139,7 +139,7 @@ public class EntitlementService {
                            .allowedOrigins(identity.getAccessToken())
                            .exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
                } else {
-                    asyncResponse.resume(Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements)))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
+                    asyncResponse.resume(Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements, identity.getAccessToken())))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
                }
            }
        });
@ -192,7 +192,7 @@ public class EntitlementService {
                                .allowedOrigins(identity.getAccessToken())
                                .exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
                    } else {
-                        asyncResponse.resume(Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements)))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
+                        asyncResponse.resume(Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements, identity.getAccessToken())))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
                    }
                }
            });
@ -207,8 +207,7 @@ public class EntitlementService {
        }
    }
-    private String createRequestingPartyToken(List<Permission> permissions) {
+    private String createRequestingPartyToken(List<Permission> permissions, AccessToken accessToken) {
        AccessToken accessToken = Tokens.getAccessToken(this.authorization.getKeycloakSession());
        RealmModel realm = this.authorization.getKeycloakSession().getContext().getRealm();
        AccessToken.Authorization authorization = new AccessToken.Authorization();
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/PhotozClientAuthzTestApp.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/PhotozClientAuthzTestApp.java
@ -108,11 +108,13 @@ public class PhotozClientAuthzTestApp extends AbstractPageWithInjectedUrl {
    public void requestEntitlement() {
        entitlement.click();
        pause(WAIT_AFTER_OPERATION);
        pause(WAIT_AFTER_OPERATION);
    }
    public void requestEntitlements() {
        entitlements.click();
        pause(WAIT_AFTER_OPERATION);
        pause(WAIT_AFTER_OPERATION);
    }
    public void login(String username, String password, String... scopes) throws InterruptedException {
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java
@ -18,6 +18,7 @@ package org.keycloak.testsuite.admin;
 import org.jboss.arquillian.container.test.api.Deployment;
 import org.jboss.shrinkwrap.api.spec.WebArchive;
 import org.junit.Ignore;
 import org.junit.Test;
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.model.Policy;
@ -29,13 +30,11 @@ import org.keycloak.models.RoleModel;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.representations.idm.authorization.DecisionStrategy;
 import org.keycloak.representations.idm.authorization.Logic;
-import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
 import org.keycloak.testsuite.AbstractKeycloakTest;
 import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
@ -43,6 +42,7 @@ import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
 * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
 * @version $Revision: 1 $
 */
@Ignore
 public class AuthzCleanupTest extends AbstractKeycloakTest {
    @Deployment
@ -60,12 +60,12 @@ public class AuthzCleanupTest extends AbstractKeycloakTest {
    }
    public static void setup(KeycloakSession session) {
        AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class);
        RealmModel realm = session.realms().getRealmByName(TEST);
        ClientModel client = session.realms().addClient(realm, "myclient");
        RoleModel role1 = client.addRole("client-role1");
        RoleModel role2 = client.addRole("client-role2");
        AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class);
        ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().create(client.getId());
        createRolePolicy(authz, resourceServer, role1);
        createRolePolicy(authz, resourceServer, role2);
@ -74,17 +74,13 @@ public class AuthzCleanupTest extends AbstractKeycloakTest {
    }
    private static Policy createRolePolicy(AuthorizationProvider authz, ResourceServer resourceServer, RoleModel role) {
-        PolicyRepresentation representation = new PolicyRepresentation();
+        RolePolicyRepresentation representation = new RolePolicyRepresentation();
        representation.setName(role.getName());
        representation.setType("role");
        representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
        representation.setLogic(Logic.POSITIVE);
-
+        representation.addRole(role.getName(), true);
        String roleValues = "[{\"id\":\"" + role.getId() + "\",\"required\": true}]";
        Map<String, String> config = new HashMap<>();
        config.put("roles", roleValues);
        representation.setConfig(config);
        return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AbstractPermissionManagementTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AbstractPermissionManagementTest.java
@ -23,10 +23,8 @@ import static org.junit.Assert.assertTrue;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.function.Supplier;
@ -34,27 +32,30 @@ import org.junit.Before;
 import org.keycloak.admin.client.resource.ClientResource;
 import org.keycloak.admin.client.resource.ClientsResource;
 import org.keycloak.admin.client.resource.RealmResource;
 import org.keycloak.authorization.client.AuthzClient;
 import org.keycloak.authorization.client.Configuration;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
 import org.keycloak.representations.idm.authorization.PolicyRepresentation;
 import org.keycloak.representations.idm.authorization.ResourceRepresentation;
 import org.keycloak.representations.idm.authorization.ScopeRepresentation;
 import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
 import org.keycloak.testsuite.AbstractKeycloakTest;
 import org.keycloak.testsuite.util.AdminClientUtil;
 import org.keycloak.testsuite.util.ClientBuilder;
 import org.keycloak.testsuite.util.RealmBuilder;
 import org.keycloak.testsuite.util.UserBuilder;
 import org.keycloak.util.JsonSerialization;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
 public abstract class AbstractPermissionManagementTest extends AbstractKeycloakTest {
    @Override
    public void addTestRealms(List<RealmRepresentation> testRealms) {
-        testRealms.add(RealmBuilder.create().name("authz-test")
+        testRealms.add(createTestRealm().build());
    }
    protected RealmBuilder createTestRealm() {
        return RealmBuilder.create().name("authz-test")
                .user(UserBuilder.create().username("marta").password("password"))
                .user(UserBuilder.create().username("kolo").password("password"))
                .client(ClientBuilder.create().clientId("resource-server-test")
@ -62,8 +63,7 @@ public abstract class AbstractPermissionManagementTest extends AbstractKeycloakT
                        .authorizationServicesEnabled(true)
                        .redirectUris("http://localhost/resource-server-test")
                        .defaultRoles("uma_protection")
-                        .directAccessGrants())
+                        .directAccessGrants());
                .build());
    }
    @Before
@ -88,18 +88,31 @@ public abstract class AbstractPermissionManagementTest extends AbstractKeycloakT
        assertNull(actual.getPolicies());
        assertNull(actual.getScopes());
-        assertEquals(expected.getPolicies().size(), policies.get().stream().map(representation1 -> representation1.getName()).filter(policyName -> expected.getPolicies().contains(policyName)).count());
+        List<PolicyRepresentation> associatedPolicies = policies.get();
-        if (expected.getResources() != null) {
+        if (expected.getPolicies() != null) {
-            assertEquals(expected.getResources().size(), resources.get().stream().map(representation1 -> representation1.getName()).filter(resourceName -> expected.getResources().contains(resourceName)).count());
+            assertEquals(expected.getPolicies().size(), associatedPolicies.size());
            assertEquals(0, associatedPolicies.stream().map(representation1 -> representation1.getName()).filter(policyName -> !expected.getPolicies().contains(policyName)).count());
        } else {
-            assertTrue(resources.get().isEmpty());
+            assertTrue(associatedPolicies.isEmpty());
        }
-        if (expected.getScopes() != null) {
+        List<ResourceRepresentation> associatedResources = resources.get();
-            assertEquals(expected.getScopes().size(), scopes.get().stream().map(representation1 -> representation1.getName()).filter(scopeName -> expected.getScopes().contains(scopeName)).count());
+
        if (expected.getResources() != null) {
            assertEquals(expected.getResources().size(), associatedResources.size());
            assertEquals(0, associatedResources.stream().map(representation1 -> representation1.getName()).filter(resourceName -> !expected.getResources().contains(resourceName)).count());
        } else {
-            assertTrue(scopes.get().isEmpty());
+            assertTrue(associatedResources.isEmpty());
        }
        List<ScopeRepresentation> associatedScopes = scopes.get();
        if (expected.getScopes() != null) {
            assertEquals(expected.getScopes().size(), associatedScopes.size());
            assertEquals(expected.getScopes().size(), associatedScopes.stream().map(representation1 -> representation1.getName()).filter(scopeName -> !expected.getScopes().contains(scopeName)).count());
        } else {
            assertTrue(associatedScopes.isEmpty());
        }
        expected.setId(actual.getId());
@ -129,18 +142,12 @@ public abstract class AbstractPermissionManagementTest extends AbstractKeycloakT
    private void createUserPolicy(String name, RealmResource realm, ClientResource client, String username) throws IOException {
        String userId = realm.users().search(username).stream().map(representation -> representation.getId()).findFirst().orElseThrow(() -> new RuntimeException("Expected user [userId]"));
-        PolicyRepresentation representation = new PolicyRepresentation();
+        UserPolicyRepresentation representation = new UserPolicyRepresentation();
        representation.setName(name);
-        representation.setType("user");
+        representation.addUser(userId);
-        Map<String, String> config = new HashMap<>();
+        client.authorization().policies().users().create(representation);
        config.put("users", JsonSerialization.writeValueAsString(new String[]{userId}));
        representation.setConfig(config);
        client.authorization().policies().create(representation);
    }
    protected ClientResource getClient() {
@ -159,12 +166,4 @@ public abstract class AbstractPermissionManagementTest extends AbstractKeycloakT
            throw new RuntimeException("Failed to create admin client", cause);
        }
    }
    private AuthzClient getAuthzClient() {
        try {
            return AuthzClient.create(JsonSerialization.readValue(getClass().getResourceAsStream("/authorization-test/default-keycloak.json"), Configuration.class));
        } catch (IOException cause) {
            throw new RuntimeException("Failed to create authz client", cause);
        }
    }
 }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/RolePolicyManagementTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/RolePolicyManagementTest.java
@ -0,0 +1,183 @@
 /*
 * Copyright 2016 Red Hat, Inc. and/or its affiliates
 * and other contributors as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.keycloak.testsuite.admin.client.authorization;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.fail;
 import java.util.Collections;
 import java.util.stream.Collectors;
 import javax.ws.rs.NotFoundException;
 import javax.ws.rs.core.Response;
 import org.junit.Test;
 import org.keycloak.admin.client.resource.AuthorizationResource;
 import org.keycloak.admin.client.resource.ClientResource;
 import org.keycloak.admin.client.resource.RolePoliciesResource;
 import org.keycloak.admin.client.resource.RolePolicyResource;
 import org.keycloak.admin.client.resource.RolesResource;
 import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.RoleRepresentation;
 import org.keycloak.representations.idm.authorization.DecisionStrategy;
 import org.keycloak.representations.idm.authorization.Logic;
 import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
 import org.keycloak.testsuite.util.RealmBuilder;
 import org.keycloak.testsuite.util.RolesBuilder;
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
 public class RolePolicyManagementTest extends AbstractPermissionManagementTest {
    @Override
    protected RealmBuilder createTestRealm() {
        return super.createTestRealm().roles(
                RolesBuilder.create()
                        .realmRole(new RoleRepresentation("Role A", "Role A description", false))
                        .realmRole(new RoleRepresentation("Role B", "Role B description", false))
                        .realmRole(new RoleRepresentation("Role C", "Role C description", false))
        );
    }
    @Test
    public void testCreateRealmRolePolicy() {
        AuthorizationResource authorization = getClient().authorization();
        RolePolicyRepresentation representation = new RolePolicyRepresentation();
        representation.setName("Realm Role Policy");
        representation.setDescription("description");
        representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
        representation.setLogic(Logic.NEGATIVE);
        representation.addRole("Role A", false);
        representation.addRole("Role B", true);
        assertCreated(authorization, representation);
    }
    @Test
    public void testCreateClientRolePolicy() {
        ClientResource client = getClient();
        AuthorizationResource authorization = client.authorization();
        RolePolicyRepresentation representation = new RolePolicyRepresentation();
        representation.setName("Realm Client Role Policy");
        representation.setDescription("description");
        representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
        representation.setLogic(Logic.NEGATIVE);
        RolesResource roles = client.roles();
        roles.create(new RoleRepresentation("Client Role A", "desc", false));
        ClientRepresentation clientRep = client.toRepresentation();
        roles.create(new RoleRepresentation("Client Role B", "desc", false));
        representation.addRole("Client Role A", true);
        representation.addRole(clientRep.getClientId() + "/Client Role B", true);
        assertCreated(authorization, representation);
    }
    @Test
    public void testUpdate() {
        AuthorizationResource authorization = getClient().authorization();
        RolePolicyRepresentation representation = new RolePolicyRepresentation();
        representation.setName("Update Test Role Policy");
        representation.setDescription("description");
        representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
        representation.setLogic(Logic.NEGATIVE);
        representation.addRole("Role A", false);
        representation.addRole("Role B", true);
        representation.addRole("Role C", false);
        assertCreated(authorization, representation);
        representation.setName("changed");
        representation.setDescription("changed");
        representation.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
        representation.setLogic(Logic.POSITIVE);
        representation.setRoles(representation.getRoles().stream().filter(roleDefinition -> !roleDefinition.getId().equals("Resource A")).collect(Collectors.toSet()));
        RolePoliciesResource policies = authorization.policies().roles();
        RolePolicyResource permission = policies.findById(representation.getId());
        permission.update(representation);
        assertRepresentation(representation, permission);
        for (RolePolicyRepresentation.RoleDefinition roleDefinition : representation.getRoles()) {
            if (roleDefinition.getId().equals("Role B")) {
                roleDefinition.setRequired(false);
            }
            if (roleDefinition.getId().equals("Role C")) {
                roleDefinition.setRequired(true);
            }
        }
        permission.update(representation);
        assertRepresentation(representation, permission);
    }
    @Test
    public void testDelete() {
        AuthorizationResource authorization = getClient().authorization();
        RolePolicyRepresentation representation = new RolePolicyRepresentation();
        representation.setName("Test Delete Permission");
        representation.addRole("Role A", false);
        RolePoliciesResource policies = authorization.policies().roles();
        Response response = policies.create(representation);
        RolePolicyRepresentation created = response.readEntity(RolePolicyRepresentation.class);
        policies.findById(created.getId()).remove();
        RolePolicyResource removed = policies.findById(created.getId());
        try {
            removed.toRepresentation();
            fail("Permission not removed");
        } catch (NotFoundException ignore) {
        }
    }
    private void assertCreated(AuthorizationResource authorization, RolePolicyRepresentation representation) {
        RolePoliciesResource permissions = authorization.policies().roles();
        Response response = permissions.create(representation);
        RolePolicyRepresentation created = response.readEntity(RolePolicyRepresentation.class);
        RolePolicyResource permission = permissions.findById(created.getId());
        assertRepresentation(representation, permission);
    }
    private void assertRepresentation(RolePolicyRepresentation representation, RolePolicyResource permission) {
        RolePolicyRepresentation actual = permission.toRepresentation();
        assertRepresentation(representation, actual, () -> permission.resources(), () -> Collections.emptyList(), () -> permission.associatedPolicies());
        assertEquals(representation.getRoles().size(), actual.getRoles().size());
        ClientRepresentation clientRep = getClient().toRepresentation();
        assertEquals(0, actual.getRoles().stream().filter(actualDefinition -> !representation.getRoles().stream()
                .filter(roleDefinition -> (getRoleName(actualDefinition.getId()).equals(roleDefinition.getId()) || (clientRep.getClientId() + "/" + getRoleName(actualDefinition.getId())).equals(roleDefinition.getId())) && actualDefinition.isRequired() == roleDefinition.isRequired())
                .findFirst().isPresent())
                .count());
    }
    private String getRoleName(String id) {
        return getRealm().rolesById().getRole(id).getName();
    }
 }
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/AbstractPhotozAdminTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/AbstractPhotozAdminTest.java
@ -40,6 +40,7 @@ import org.keycloak.models.RoleModel;
 import org.keycloak.representations.AccessToken;
 import org.keycloak.representations.idm.authorization.PolicyRepresentation;
 import org.keycloak.representations.idm.authorization.ResourceRepresentation;
 import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
 import org.keycloak.representations.idm.authorization.ScopeRepresentation;
 import org.keycloak.util.JsonSerialization;
@ -287,26 +288,11 @@ public abstract class AbstractPhotozAdminTest extends AbstractAuthorizationTest
        return onAuthorizationSession(authorizationProvider -> {
            StoreFactory storeFactory = authorizationProvider.getStoreFactory();
            PolicyStore policyStore = storeFactory.getPolicyStore();
-            PolicyRepresentation representation = new PolicyRepresentation();
+            RolePolicyRepresentation representation = new RolePolicyRepresentation();
            representation.setName("Any Admin Policy");
            representation.setType("role");
-
+            representation.addRole("admin", false);
            HashedMap config = new HashedMap();
            RealmModel realm = authorizationProvider.getKeycloakSession().realms().getRealmByName(TEST_REALM_NAME);
            RoleModel adminRole = realm.getRole("admin");
            Map role = new HashMap();
            role.put("id", adminRole.getId());
            try {
                config.put("roles", JsonSerialization.writeValueAsString(new Map[] {role}));
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
            representation.setConfig(config);
            return policyStore.create(representation, resourceServer);
        });
--- a/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
+++ b/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
@ -1326,8 +1326,8 @@ module.controller('ResourceServerPolicyUserDetailCtrl', function($scope, $route,
        onInitUpdate : function(policy) {
            var selectedUsers = [];
-            if (policy.config.users) {
+            if (policy.users) {
-                var users = eval(policy.config.users);
+                var users = policy.users;
                for (i = 0; i < users.length; i++) {
                    User.get({realm: $route.current.params.realm, userId: users[i]}, function(data) {
@ -1351,7 +1351,8 @@ module.controller('ResourceServerPolicyUserDetailCtrl', function($scope, $route,
                users.push($scope.selectedUsers[i].id);
            }
-            $scope.policy.config.users = JSON.stringify(users);
+            $scope.policy.users = users;
            delete $scope.policy.config;
        },
        onCreate : function() {
@ -1361,7 +1362,8 @@ module.controller('ResourceServerPolicyUserDetailCtrl', function($scope, $route,
                users.push($scope.selectedUsers[i].id);
            }
-            $scope.policy.config.users = JSON.stringify(users);
+            $scope.policy.users = users;
            delete $scope.policy.config;
        }
    }, realm, client, $scope);
 });
@ -1545,8 +1547,8 @@ module.controller('ResourceServerPolicyRoleDetailCtrl', function($scope, $route,
        onInitUpdate : function(policy) {
            var selectedRoles = [];
-            if (policy.config.roles) {
+            if (policy.roles) {
-                var roles = eval(policy.config.roles);
+                var roles = policy.roles;
                for (i = 0; i < roles.length; i++) {
                    RoleById.get({realm: $route.current.params.realm, role: roles[i].id}, function(data) {
@ -1586,7 +1588,7 @@ module.controller('ResourceServerPolicyRoleDetailCtrl', function($scope, $route,
                roles.push(role);
            }
-            $scope.policy.config.roles = JSON.stringify(roles);
+            $scope.policy.roles = roles;
        },
        onCreate : function() {
@ -1601,7 +1603,7 @@ module.controller('ResourceServerPolicyRoleDetailCtrl', function($scope, $route,
                roles.push(role);
            }
-            $scope.policy.config.roles = JSON.stringify(roles);
+            $scope.policy.roles = roles;
        }
    }, realm, client, $scope);