keycloak-scim/docs/documentation/server_admin/topics/roles-groups/con-role-scope-mappings.adoc
Alexander Schwartz 4dcb819c06 Moving docs to new folder
CIAM-5056
2023-03-20 09:07:58 +01:00

28 lines
1.8 KiB
Text

[id="con-role-scope-mappings_{context}"]
[[_role_scope_mappings]]
= Role scope mappings
[role="_abstract"]
On creation of an OIDC access token or SAML assertion, the user role mappings become claims within the token or assertion. Applications use these claims to make access decisions on the resources controlled by the application. {project_name} digitally signs access tokens and applications re-use them to invoke remotely secured REST services. However, these tokens have an associated risk. An attacker can obtain these tokens and use their permissions to compromise your networks. To prevent this situation, use _Role Scope Mappings_.
_Role Scope Mappings_ limit the roles declared inside an access token. When a client requests a user authentication, the access token they receive contains only the role mappings that are explicitly specified for the client's scope. The result is that you limit the permissions of each individual access token instead of giving the client access to all the users permissions.
By default, each client gets all the role mappings of the user.
You can view the role mappings for a client.
.Procedure
. Click *Clients* in the menu.
. Click the client to go to the details.
. Click the *Client scopes* tab.
. Click the link in the row with _Dedicated scope and mappers for this client_
. Click the *Scope* tab.
.Full scope
image:images/full-client-scope.png[Full scope]
By default, the effective roles of scopes are every declared role in the realm. To change this default behavior, toggle *Full Scope Allowed* to *OFF* and declare the specific roles you want in each client.
You can also use <<_client_scopes, client scopes>> to define the same role scope mappings for a set of clients.
.Partial scope
image:images/client-scope.png[Partial scope]