keycloak-scim/docs/documentation/authorization_services/topics/resource-server-default-config.adoc
rmartinc cce9ae94c7 Move documentation to keycloak-client
Closes #31870

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-09-04 10:55:46 +02:00

52 lines
3.1 KiB
Text

[[_resource_server_default_config]]
= Default Configuration
When you create a resource server, {project_name} creates a default configuration for your newly created resource server.
The default configuration consists of:
* A default protected resource representing all resources in your application.
* A policy that always grants access to the resources protected by this policy.
* A permission that governs access to all resources based on the default policy.
The default protected resource is referred to as the *default resource* and you can view it if you navigate to the *Resources* tab.
.Default resource
image:images/resource-server/default-resource.png[alt="Default resource"]
This resource defines a `Type`, namely `urn:my-resource-server:resources:default` and a `URI` `/*`. Here, the `URI` field defines a
wildcard pattern that indicates to {project_name} that this resource represents all the paths in your application. In other words,
when enabling policy enforcement for your application, all the permissions associated with the resource
will be examined before granting access.
The `Type` mentioned previously defines a value that can be used to create <<_permission_typed_resource, typed resource permissions>> that must be applied
to the default resource or any other resource you create using the same type.
The default policy is referred to as the *only from realm policy* and you can view it if you navigate to the *Policies* tab.
.Default policy
image:images/resource-server/default-policy.png[alt="Default policy"]
This policy is a <<_policy_js, JavaScript-based policy>> defining a condition that always grants access to the resources protected by this policy. If you click this policy you can see that it defines a rule as follows:
```js
// by default, grants any permission associated with this policy
$evaluation.grant();
```
Lastly, the default permission is referred to as the *default permission* and you can view it if you navigate to the *Permissions* tab.
.Default Permission
image:images/resource-server/default-permission.png[alt="Default Permission"]
This permission is a <<_permission_create_resource, resource-based permission>>, defining a set of one or more policies that are applied to all resources with a given type.
== Changing the default configuration
You can change the default configuration by removing the default resource, policy, or permission definitions and creating your own.
The default resource is created with a **URI** that maps to any resource or path in your application using a **/*** pattern. Before creating your own resources, permissions and policies, make
sure the default configuration doesn't conflict with your own settings.
[NOTE]
The default configuration defines a resource that maps to all paths in your application. If you are about to write permissions to your own resources, be sure to remove the *Default Resource* or change its ```URIS``` fields to a more specific paths in your application. Otherwise, the policy associated with the default resource (which by default always grants access) will allow {project_name} to grant access to any protected resource.