{ "enableDisable": "Disabled clients cannot initiate a login or have obtained access tokens.", "clientType": "'OpenID Connect' allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server.'SAML' enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO) and uses security tokens containing assertions to pass information.", "serviceAccount": "Allows you to authenticate this client to Keycloak and retrieve access token dedicated to this client. In terms of OAuth2 specification, this enables support of 'Client Credentials Grant' for this client.", "manageServiceAccountUser": "To manage detail and group mappings, click on the username <1>{{link}}", "authentication": "This defines the type of the OIDC client. When it's ON, the OIDC type is set to confidential access type. When it's OFF, it is set to public access type", "authorization": "Enable/Disable fine-grained authorization support for a client", "authDetails": "Export and download all resource settings for this resource server.", "directAccess": "This enables support for Direct Access Grants, which means that client has access to username/password of user and exchange it directly with Keycloak server for access token. In terms of OAuth2 specification, this enables support of 'Resource Owner Password Credentials Grant' for this client.", "standardFlow": "This enables standard OpenID Connect redirect based authentication with authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Authorization Code Flow' for this client.", "implicitFlow": "This enables support for OpenID Connect redirect based authentication without authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Implicit Flow' for this client.", "oauthDeviceAuthorizationGrant": "This enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser.", "oidcCibaGrant": "This enables support for OIDC CIBA Grant, which means that the user is authenticated via some external authentication device instead of the user's browser.", "rootURL": "Root URL appended to relative URLs", "validRedirectURIs": "Valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'http://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.", "validPostLogoutRedirectURIs": "Valid URI pattern a browser can redirect to after a successful logout. A value of '+' or an empty field will use the list of valid redirect uris. A value of '-' will not allow any post logout redirect uris. Simple wildcards are allowed such as 'http://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used.", "nameIdFormat": "The name ID format to use for the subject.", "alwaysDisplayInUI": "Always list this client in the Account UI, even if the user does not have an active session.", "forceNameIdFormat": "Ignore requested NameID subject format and use Admin UI configured one.", "forcePostBinding": "Always use POST binding for responses.", "forceArtifactBinding": "Should response messages be returned to the client through the SAML ARTIFACT binding system?", "includeAuthnStatement": "Should a statement specifying the method and timestamp be included in login responses?", "includeOneTimeUseCondition": "Should a OneTimeUse Condition be included in login responses?", "optimizeLookup": "When signing SAML documents in REDIRECT binding for SP that is secured by Keycloak adapter, should the ID of the signing key be included in SAML protocol message in element? This optimizes validation of the signature as the validating party uses a single key instead of trying every known key for validation.", "allowEcpFlow": "This client is allowed to use ECP flow for authenticating users.", "signDocuments": "Should SAML documents be signed by the realm?", "signAssertions": "Should assertions inside SAML documents be signed? This setting is not needed if document is already being signed.", "signatureAlgorithm": "The signature algorithm to use to sign documents. Note that 'SHA1' based algorithms are deprecated and can be removed in the future. It is recommended to stick to some more secure algorithm instead of '*_SHA1'", "signatureKeyName": "Signed SAML documents contain identification of signing key in KeyName element. For Keycloak / RH-SSO counterparty, use KEY_ID, for MS AD FS use CERT_SUBJECT, for others check and use NONE if no other option works.", "canonicalization": "Canonicalization Method for XML signatures.", "webOrigins": "Allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does not include the '*' wildcard though. To permit all origins, explicitly add '*'.", "homeURL": "Default URL to use when the auth server needs to redirect or link back to the client.", "adminURL": "URL to the admin interface of the client. Set this if the client supports the adapter REST API. This REST API allows the auth server to push revocation policies and other administrative tasks. Usually this is set to the base URL of the client.", "client": "Select the client making this authorization request. If not provided, authorization requests would be done based on the client you are in.", "clientId": "Specifies ID referenced in URI and tokens. For example 'my-client'. For SAML this is also the expected issuer value from authn requests", "selectUser": "Select a user whose identity is going to be used to query permissions from the server.", "roles": "Select the roles you want to associate with the selected user.", "contextualAttributes": "Any attribute provided by a running environment or execution context.", "resourceType": "Specifies that this permission must be applied to all resource instances of a given type.", "applyToResourceType": "Specifies if this permission should be applied to all resources with a given type. In this case, this permission will be evaluated for all instances of a given resource type.", "resources": "Specifies that this permission must be applied to a specific resource instance.", "scopesSelect": "Specifies that this permission must be applied to one or more scopes.", "clientName": "Specifies display name of the client. For example 'My Client'. Supports keys for localized values as well. For example: ${my_client}", "description": "Specifies description of the client. For example 'My Client for TimeSheets'. Supports keys for localized values as well. For example: ${my_client_description}", "loginTheme": "Select theme for login, OTP, grant, registration, and forgot password pages.", "encryptAssertions": "Should SAML assertions be encrypted with client's public key using AES?", "clientSignature": "Will the client sign their saml requests and responses? And should they be validated?", "downloadType": "this is information about the download type", "details": "this is information about the details", "clientPolicyName": "Display name of the policy", "createToken": "An initial access token can only be used to create clients", "expiration": "Specifies how long the token should be valid", "count": "Specifies how many clients can be created using the token", "client-authenticator-type": "Client Authenticator used for authentication of this client against Keycloak server", "registration-access-token": "The registration access token provides access for clients to the client registration service.", "signature-algorithm": "JWA algorithm, which the client needs to use when signing a JWT for authentication. If left blank, the client is allowed to use any algorithm.", "anonymousAccessPolicies": "Those Policies are used when the Client Registration Service is invoked by unauthenticated request. This means that the request does not contain Initial Access Token nor Bearer Token.", "authenticatedAccessPolicies": "Those Policies are used when Client Registration Service is invoked by authenticated request. This means that the request contains Initial Access Token or Bearer Token.", "allowRegexComparison": "If OFF, then the Subject DN from given client certificate must exactly match the given DN from the 'Subject DN' property as described in the RFC8705 specification. The Subject DN can be in the RFC2553 or RFC1779 format. If ON, then the Subject DN from given client certificate should match regex specified by 'Subject DN' property.", "subject": "A regular expression for validating Subject DN in the Client Certificate. Use \"(.*?)(?:$)\" to match all kind of expressions.", "evaluateExplain": "This page allows you to see all protocol mappers and role scope mappings", "effectiveProtocolMappers": "Contains all default client scopes and selected optional scopes. All protocol mappers and role scope mappings of all those client scopes will be used when generating access token issued for your client", "effectiveRoleScopeMappings": "Selected Optional Client Scopes, which will be used when issuing access token for this client. You can see above what value of OAuth Scope Parameter needs to be used when you want to have these optional client scopes applied when the initial OpenID Connect Authentication request will be sent from your client adapter", "generatedAccessToken": "See the example access token, which will be generated and sent to the client when selected user is authenticated. You can see claims and roles that the token will contain based on the effective protocol mappers and role scope mappings and also based on the claims/roles assigned to user himself", "generatedIdToken": "See the example ID Token, which will be generated and sent to the client when selected user is authenticated. You can see claims and roles that the token will contain based on the effective protocol mappers and role scope mappings and also based on the claims/roles assigned to user himself", "generatedUserInfo": "See the example User Info, which will be provided by the User Info Endpoint", "scopeParameter": "You can copy/paste this value of scope parameter and use it in initial OpenID Connect Authentication Request sent from this client adapter. Default client scopes and selected optional client scopes will be used when generating token issued for this client", "user": "Optionally select user, for whom the example access token will be generated. If you do not select a user, example access token will not be generated during evaluation", "notBefore": "Revoke any tokens issued before this time for this client. To push the policy, you should set an effective admin URL in the Settings tab first.", "notBeforeIntro": "In order to successfully push a revocation policy to the client, you need to set an Admin URL under the <1>Settings tab for this client first", "notBeforeTooltip": "The admin URL should be set in the Settings tab first.", "nodeReRegistrationTimeout": "Interval to specify max time for registered clients cluster nodes to re-register. If cluster node will not send re-registration request to Keycloak within this time, it will be unregistered from Keycloak", "fineGrainOpenIdConnectConfiguration": "This section is used to configure advanced settings of this client related to OpenID Connect protocol.", "fineGrainSamlEndpointConfig": "This section to configure exact URLs for Assertion Consumer and Single Logout Service.", "logoUrl": "URL that references a logo for the Client application", "policyUrl": "URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used", "policyUsers": "Specifies which user(s) are allowed by this policy.", "termsOfServiceUrl": "URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service", "accessTokenSignatureAlgorithm": "JWA algorithm used for signing access tokens.", "idTokenSignatureAlgorithm": "JWA algorithm used for signing ID tokens.", "idTokenEncryptionKeyManagementAlgorithm": "JWA Algorithm used for key management in encrypting ID tokens. This option is needed if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.", "idTokenEncryptionContentEncryptionAlgorithm": "JWA Algorithm used for content encryption in encrypting ID tokens. This option is needed just if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.", "userInfoSignedResponseAlgorithm": "JWA algorithm used for signed User Info Endpoint response. If set to 'unsigned', User Info Response won't be signed and will be returned in application/json format.", "userInfoResponseEncryptionKeyManagementAlgorithm": "JWA Algorithm used for key management in encrypting User Info Endpoint responses. This option is needed if you want encrypted User Info Endpoint responses. If left empty, User Info Endpoint responses are not encrypted.", "userInfoResponseEncryptionContentEncryptionAlgorithm": "JWA Algorithm used for content encryption in encrypting User Info Endpoint responses. If User Info response encryption key management algorithm is specified, the default for this value is A128CBC-HS256.", "requestObjectSignatureAlgorithm": "JWA algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', Request object can be signed by any algorithm (including 'none' ).", "requestObjectRequired": "Specifies if the client needs to provide a request object with their authorization requests, and what method they can use for this. If set to \"not required\", providing a request object is optional. In all other cases, providing a request object is mandatory. If set to \"request\", the request object must be provided by value. If set to \"request_uri\", the request object must be provided by reference. If set to \"request or request_uri\", either method can be used.", "requestObjectEncryption": "JWE algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', encryption is optional and any algorithm is allowed.", "requestObjectEncoding": "JWE algorithm, which client needs to use when encrypting the content of the OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', any algorithm is allowed.", "validRequestURIs": "List of valid URIs, which can be used as values of 'request_uri' parameter during OpenID Connect authentication request. There is support for the same capabilities like for Valid Redirect URIs. For example wildcards or relative paths.", "idpInitiatedSsoUrlName": "URL fragment name to reference client when you want to do IDP Initiated SSO. Leaving this empty will disable IDP Initiated SSO. The URL you will reference from your browser will be: {server-root}/realms/{realm}/protocol/saml/clients/{client-url-name}", "idpInitiatedSsoRelayState": "Relay state you want to send with SAML request when you want to do IDP Initiated SSO.", "masterSamlProcessingUrl": "If configured, this URL will be used for every binding to both the SP's Assertion Consumer and Single Logout Services. This can be individually overridden for each binding and service in the Fine Grain SAML Endpoint Configuration.", "authorizationSignedResponseAlg": "JWA algorithm used for signing authorization response tokens when the response mode is jwt.", "authorizationEncryptedResponseAlg": "JWA Algorithm used for key management in encrypting the authorization response when the response mode is jwt. This option is needed if you want encrypted authorization response. If left empty, the authorization response is just signed, but not encrypted.", "authorizationEncryptedResponseEnc": "JWA Algorithm used for content encryption in encrypting the authorization response when the response mode is jwt. This option is needed if you want encrypted authorization response. If left empty, the authorization response is just signed, but not encrypted.", "openIdConnectCompatibilityModes": "This section is used to configure settings for backward compatibility with older OpenID Connect / OAuth 2 adaptors. It's useful especially if your client uses older version of Keycloak / RH-SSO adapter.", "excludeSessionStateFromAuthenticationResponse": "If this is on, the parameter 'session_state' will not be included in OpenID Connect Authentication Response. It is useful if your client uses older OIDC / OAuth2 adapter, which does not support 'session_state' parameter.", "useRefreshTokens": "If this is on, a refresh_token will be created and added to the token response. If this is off then no refresh_token will be generated.", "useRefreshTokenForClientCredentialsGrant": "If this is on, a refresh_token will be created and added to the token response if the client_credentials grant is used. The OAuth 2.0 RFC6749 Section 4.4.3 states that a refresh_token should not be generated when client_credentials grant is used. If this is off then no refresh_token will be generated and the associated user session will be removed.", "useLowerCaseBearerType": "If this is on, token responses will be set the with the type \"bearer\" in lower-case. By default, the server sets the type as \"Bearer\" as defined by RFC6750.", "advancedSettingsOpenid-connect": "This section is used to configure advanced settings of this client related to OpenID Connect protocol", "advancedSettingsSaml": "This section is used to configure advanced settings of this client", "assertionLifespan": "Lifespan set in the SAML assertion conditions. After that time the assertion will be invalid. The \"SessionNotOnOrAfter\" attribute is not modified and continue using the \"SSO Session Max\" time defined at realm level.", "accessTokenLifespan": "Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout.", "clientSessionIdle": "Time a client is allowed to be idle before refreshing tokens is invalidated. The option only affects token times and not the global SSO session. If not set, it uses the standard SSO Session Idle value.", "clientSessionMax": "Max time before tokens are invalidated for the client. The option only affects token times and not the global SSO session. If not set, it uses the standard SSO Session Max value.", "clientOfflineSessionIdle": "Time a client is allowed to be idle before refreshing offline tokens is invalidated. The option only affects token times and not the global SSO session. If not set, it uses the standard SSO Session Idle value.", "clientOfflineSessionMax": "Max time before offline tokens are invalidated for the client. The option only affects token times and not the global SSO session. If not set, it uses the standard SSO Session Max value.", "oAuthMutual": "This enables support for OAuth 2.0 Mutual TLS Certificate Bound Access Tokens, which means that keycloak bind an access token and a refresh token with a X.509 certificate of a token requesting client exchanged in mutual TLS between keycloak's Token Endpoint and this client. These tokens can be treated as Holder-of-Key tokens instead of bearer tokens.", "keyForCodeExchange": "Choose which code challenge method for PKCE is used. If not specified, keycloak does not applies PKCE to a client unless the client sends an authorization request with appropriate code challenge and code exchange method.", "pushedAuthorizationRequestRequired": "Boolean parameter indicating whether the authorization server accepts authorization request data only via the pushed authorization request method.", "acrToLoAMapping": "Define which ACR (Authentication Context Class Reference) value is mapped to which LoA (Level of Authentication). The ACR can be any value, whereas the LoA must be numeric.", "defaultACRValues": "Default values to be used as voluntary ACR in case that there is no explicit ACR requested by 'claims' or 'acr_values' parameter in the OIDC request.", "assertionConsumerServicePostBindingURL": "SAML POST Binding URL for the client's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding.", "assertionConsumerServiceRedirectBindingURL": "SAML Redirect Binding URL for the client's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding.", "logoutServicePostBindingURL": "SAML POST Binding URL for the client's single logout service. You can leave this blank if you are using a different binding", "logoutServiceRedirectBindingURL": "SAML Redirect Binding URL for the client's single logout service. You can leave this blank if you are using a different binding.", "logoutServiceSoapBindingUrl": "SAML SOAP Binding URL for the client's single logout service. You can leave this blank if you are using a different binding.", "logoutServiceArtifactBindingUrl": "SAML ARTIFACT Binding URL for the client's single logout service. You can leave this blank if you are using a different binding.", "artifactBindingUrl": "URL to send the HTTP ARTIFACT messages to. You can leave this blank if you are using a different binding. This value should be set when forcing ARTIFACT binding together with IdP initiated login.", "frontchannelLogout": "When true, logout requires a browser redirect to client. When false, server performs a background invocation for logout.", "frontchannelLogoutUrl": "URL that will cause the client to log itself out when a logout request is sent to this realm (via end_session_endpoint). If not provided, it defaults to the base url.", "backchannelLogoutUrl": "URL that will cause the client to log itself out when a logout request is sent to this realm (via end_session_endpoint). If omitted, no logout request will be sent to the client is this case.", "backchannelLogoutSessionRequired": "Specifying whether a sid (session ID) Claim is included in the Logout Token when the Backchannel Logout URL is used.", "backchannelLogoutRevokeOfflineSessions": "Specifying whether a \"revoke_offline_access\" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.", "artifactResolutionService": "SAML Artifact resolution service for the client. This is the endpoint to which Keycloak will send a SOAP ArtifactResolve message. You can leave this blank if you do not have a URL for this binding.", "authenticationOverrides": "Override realm authentication flow bindings.", "browserFlow": "Select the flow you want to use for browser authentication.", "directGrant": "Select the flow you want to use for direct grant authentication.", "useJwksUrl": "If the switch is on, client public keys will be downloaded from given JWKS URL. This allows great flexibility because new keys will be always re-downloaded again when client generates new keypair. If the switch is off, public key (or certificate) from the Keycloak DB is used, so when client keypair changes, you always need to import new key (or certificate) to the Keycloak DB as well.", "certificate": "Client Certificate for validate JWT issued by client and signed by Client private key from your keystore.", "jwksUrl": "URL where client keys in JWK format are stored. See JWK specification for more details. If you use Keycloak client adapter with \"jwt\" credential, you can use URL of your app with '/k_jwks' suffix. For example 'http://www.myhost.com/myapp/k_jwks' .", "generateKeysDescription": "If you generate new keys, you can download the keystore with the private key automatically and save it on your client's side. Keycloak server will save just the certificate and public key, but not the private key.", "archiveFormat": "Java keystore or PKCS12 archive format.", "keyAlias": "Archive alias for your private key and certificate.", "keyPassword": "Password to access the private key in the archive", "realmCertificateAlias": "Realm certificate is stored in archive too. This is the alias to it.", "storePassword": "Password to access the archive itself", "consentRequired": "If enabled, users have to consent to client access.", "displayOnClient": "Applicable only if 'Consent Required' is on for this client. If this switch is off, the consent screen will contain just the consents corresponding to configured client scopes. If on, there will be also one item on the consent screen about this client itself.", "consentScreenText": "Applicable only if 'Display Client On Consent Screen' is on for this client. Contains the text which will be on the consent screen about permissions specific just for this client.", "import": "Import a JSON file containing authorization settings for this resource server.", "policyEnforcementMode": "The policy enforcement mode dictates how policies are enforced when evaluating authorization requests. 'Enforcing' means requests are denied by default even when there is no policy associated with a given resource. 'Permissive' means requests are allowed even when there is no policy associated with a given resource. 'Disabled' completely disables the evaluation of policies and allows access to any resource.", "decisionStrategy": "The decision strategy dictates how permissions are evaluated and how a final decision is obtained. 'Affirmative' means that at least one permission must evaluate to a positive decision in order to grant access to a resource and its scopes. 'Unanimous' means that all permissions must evaluate to a positive decision in order for the final decision to be also positive.", "allowRemoteResourceManagement": "Should resources be managed remotely by the resource server? If false, resources can be managed only from this Admin UI.", "resourceName": "A unique name for this resource. The name can be used to uniquely identify a resource, useful when querying for a specific resource.", "displayName": "A user-friendly name for the resource, mainly used when rendering user-facing forms. It supports internationalization so that values can be loaded from message bundles.", "type": "The type of this resource. It can be used to group different resource instances with the same type.", "uris": "Set of URIs which are protected by resource.", "scopes": "The scopes associated with this resource.", "dedicatedScopeExplain": "This is a client scope which includes the dedicated mappers and scope", "fullScopeAllowed": "Allows you to disable all restrictions.", "iconUri": "A URI pointing to an icon.", "ownerManagedAccess": "If enabled, the access to this resource can be managed by the resource owner.", "resourceAttribute": "The attributes associated wth the resource.", "resetActions": "Set of actions to execute when sending the user a Reset Actions Email. 'Verify email' sends an email to the user to verify their email address. 'Update profile' requires user to enter in new personal information. 'Update password' requires user to enter in a new password. 'Configure OTP' requires setup of a mobile password generator.", "lifespan": "Maximum time before the action permit expires.", "scopeName": "A unique name for this scope. The name can be used to uniquely identify a scope, useful when querying for a specific scope.", "scopeDisplayName": "A unique name for this scope. The name can be used to uniquely identify a scope, useful when querying for a specific scope.", "policy-name": "The name of this policy.", "policy-description": "A description for this policy.", "policyDecisionStagey": "The decision strategy dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. 'Affirmative' means that at least one policy must evaluate to a positive decision in order for the final decision to be also positive. 'Unanimous' means that all policies must evaluate to a positive decision in order for the final decision to be also positive. 'Consensus' means that the number of positive decisions must be greater than the number of negative decisions. If the number of positive and negative is the same, the final decision will be negative.", "applyPolicy": "Specifies all the policies that must be applied to the scopes defined by this policy or permission.", "policyClient": "Specifies which client(s) are allowed by this policy.", "groupsClaim": "If defined, the policy will fetch user's groups from the given claim within an access token or ID token representing the identity asking permissions. If not defined, user's groups are obtained from your realm configuration.", "policyGroups": "Specifies which user(s) are allowed by this policy.", "targetClaim": "Specifies the target claim which the policy will fetch.", "regexPattern": "Specifies the regex pattern.", "policyRoles": "Specifies the client roles allowed by this policy.", "startTime": "Defines the time before which the policy MUST NOT be granted. Only granted if current date/time is after or equal to this value.", "expireTime": "Defines the time after which the policy MUST NOT be granted. Only granted if current date/time is before or equal to this value.", "month": "Defines the month which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current month is between or equal to the two values you provided.", "dayMonth": "Defines the day of month when the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current day of month is between or equal to the two values you provided.", "hour": "Defines the hour when the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current hour is between or equal to the two values you provided.", "minute": "Defines the minute when the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current minute is between or equal to the two values you provided.", "policyCode": "The JavaScript code providing the conditions for this policy.", "logic": "The logic dictates how the policy decision should be made. If 'Positive', the resulting effect (permit or deny) obtained during the evaluation of this policy will be used to perform a decision. If 'Negative', the resulting effect will be negated, in other words, a permit becomes a deny and vice-versa.", "permissionName": "The name of this permission.", "permissionDescription": "A description for this permission.", "applyToResourceTypeFlag": "Specifies if this permission should be applied to all resources with a given type. In this case, this permission will be evaluated for all instances of a given resource type.", "permissionResources": "Specifies that this permission must be applied to a specific resource instance.", "permissionScopes": "Specifies that this permission must be applied to one or more scopes.", "permissionPolicies": "Specifies all the policies that must be applied to the scopes defined by this policy or permission.", "permissionType": "Specifies that this permission must be applied to all resources instances of a given type.", "permissionDecisionStrategy": "The decision strategy dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. 'Affirmative' means that at least one policy must evaluate to a positive decision in order for the final decision to be also positive. 'Unanimous' means that all policies must evaluate to a positive decision in order for the final decision to be also positive. 'Consensus' means that the number of positive decisions must be greater than the number of negative decisions. If the number of positive and negative is the same, the final decision will be negative.", "permissionsEnabled": "Determines if fine grained permissions are enabled for managing this role. Disabling will delete all current permissions that have been set up." }