...
The CoreOne Suite offers an extensive access management. In the domain of this access management, permissions are called resource assignments. Whenever an administrator is assigning i) assigns a resource to a user in the Admin UI, ii) when a user receives resources through a an assignment rule, or iii) someone uses the self-service portal to delegate a service permission or a service permission of a company to someone else, those permissions are stored in the access management space as resource assignments.
From here, those resource assignments are then provisioned to the CoreOne Authentication Service. While During this provisioning process, assignment context and other transformations can be applied. With those transformations, application specific information can be added. Whenever a user then authenticates himself for a given application, those provisioned resource assignments are exposed to the application as part of the access token. This is either through the roles or the roles_with_context claim. The later is used whenever a resource assignment has a context. For example someone has the right to submit taxes for the company ITSENSE. The company ITSENSE represents the context.
There are use cases where those permission permissions need to be available to the application even if the user is not present (offline access) or if the application needs to know permissions of other users or other entities (companies, users). In those For such cases, the permission API of the CoreOne Authentication Service can be used.
...
To access this endpoint, you need to have the CoreOne Authentication Service API Read Permissions for My Application assigned to your user. The endpoint itself only returns permissions associated to the client calling the endpoint, thus restricting the permissions. In most use cases it’s advised to use this endpoint.
...