Troubleshoot Role-Based Access Control and Authorization
Here are some solutions to common issues experienced when implementing role-based access control (RBAC) using the Authorization Core feature set.
Role-based access control is enabled for my API, but the scopes claim is not showing what you say it should.
Make sure that you aren't setting
accessToken.scope in a [rule]. Remember that any configured authorization rules run after the RBAC-based authorization decisions are made, so they may override default behavior.