For the last few days, I was struggling with setting up proper permissions to create a user for external integrations. My findings are as follows:

• Client doesn’t get permissions from the Impersonated user
• I am not sure how to use Permitted, Forced and Forbidden roles, but only by setting up Permitted and Forced I was able to get my needed permissions (If my user is a member of a single group and I need to use permissions configured for the group, should I add it to the Permitted, Forced or both?)
• POSSIBLE BUG: changing the Permitted and Forced roles after the client was created doesn’t affect permissions (even after regenerating secret and generating a new Token)

Permitted defines what roles the user is allowed to have when logging in through that auth client, so if they have the roles of A, B, and C but the client only permits roles A and C; those are the only ones they will have when logged in.
Similar for forced and prohibited roles.
When left empty the user remains as defined (no role filtering/appending occurs)

So to answer your question, if you want that user to keep all their roles, leave those empty.
If you want them to only have a subset of allow-listed roles, define the permitted field.
If you want the user to 100% to have some specific role, define the force field.

We’ll take a look to see what’s off

@Arek looks like we did mess up a bit here and your observations on the bug are correct.
This seems to work fine on 2022.3.0-rc.4 – release candidate for the next major release scheduled ~end of this month.

If you don’t mind (if you’re still in the development phase) upgrade to the latest release candidate (the one above) and continue there.
Here is the WIP changelog; you shouldn’t have issues upgrading – I constantly switch my containers between 2021.9 and 2022.3 versions and nothing exploded so far, but I do suggest you follow the classic upgrade patterns.

Good to hear that my observation was correct instead of me missing something in the spec Thank you for your instructions. For now we have a workaround and it looks like we will hit production after the next release.