The current RH-SSO/Keycloak Role Check policy offers two options for how it operates:

1. whitelist
2. blacklist

Along with this type, a user must configure resources to match paths. The current implementation makes the assumption that an endpoint which doesn't match any resource is a "failure" of having the role. For a whitelist, this behavior denies access to any endpoint not matching resources in the configuration.

Please add another option to select whether non-matching endpoints should be ignored (new feature) or treated as not having a role (current behavior). This may be a new boolean value, or it may be a new set of options alongside whitelist/blacklist. In order to avoid disruption of existing uses of this policy, I would expect default behavior to be the existing behavior: treat non-matching endpoints as failures to have a role.