From aa7c72178397deccc8a5d20465d27f876a635d44 Mon Sep 17 00:00:00 2001
From: Rohith <gambol99@gmail.com>
Date: Tue, 3 Jul 2018 16:30:44 +0100
Subject: [PATCH] - updating the README to reflect the changes

---
 CHANGELOG.md | 2 +-
 README.md    | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c949d2fd..606f1813 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,7 @@
 #### **2.2.3 (Unreleased)**
 
 FEATURES:
-* Added the ability to use a "any" operation on the roles rather then just "and" with the inclusion of a `require-any-role` [#PR387](https://github.com/gambol99/keycloak-proxy/pull/387)
+* Added the ability to use a "any" operation on the roles rather then just "and" with the inclusion of a `require-any-role` [#PR389](https://github.com/gambol99/keycloak-proxy/pull/389)
 
 #### **2.2.2**
 
diff --git a/README.md b/README.md
index 955b67e3..45261bfa 100644
--- a/README.md
+++ b/README.md
@@ -217,6 +217,7 @@ resources:
   roles:
   - client:test1
   - client:test2
+  require-any-role: true
   groups:
   - admins
   - users
@@ -253,7 +254,9 @@ bin/keycloak-proxy \
     --resources="uri=/public/*|white-listed=true"
 ```
 
-Note from release 2.2.0 the `--enable-default-deny` is true by default and should explicityly allow what you want through.
+Note from release 2.2.0 the `--enable-default-deny` is true by default and should explicitly allow what you want through.
+
+By default the roles defined on a resource perform a logical `AND` so all roles specified must be present in the claims, this behavior can be altered by the `require-any-role` option however so as long as one role is present the permission is granted.
 
 #### **HTTP Routing**