What is the uma_authorization role in Keycloak?

Question

The role uma_authorization is apparently created by default in Keycloak. What is this role? Can I safely delete it?

Answer 1

To answer the question, it's for something called User-Managed Access, which Keycloak Supports.

By default, the feature is not enabled - but you can do so by going to Realm Settings > General Tab (the first tab) and toggling it. Since you're likely not using it, you can remove it.

Answer 2

The uma_protection role grants Protection API endpoints for resource servers that own resources, permissions, policies, etc.

So the client can call e.g. http://${host}:${port}/realms/${realm_name}/authz/protection/resource_set endpoint to query/manage its own resources with the token obtained using the client credentials flow.

This role is automatically granted to clients with Authorization enabled. You may see it assigned in "Service account roles" tab in Client details.

So when this role is deleted (or unassigned from the client), the resource servers won't be able to manage its own resources and call other Protection API endpoints and will get the 403 response with body like

{
    "error": "invalid_scope",
    "error_description": "Requires uma_protection scope."
}

However you can still manage resources from inside the keycloak security admin console.